php Codeigniter:如何在将表单提交给控制器之前加密密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12157970/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Codeigniter: How can i encrypt password before submitting the form to the controller?
提问by Kanishka Panamaldeniya
I have a simple htmllogin form
我有一个简单的html登录表单
<form method="post" action="http://www.example.com/login">
<input type="text" name="text_box" />
<input type="password" name="pass_word" />
<input type="submit" name="submit">
</form>
when I submit the form and in the controller
当我提交表单并在控制器中时
public function login(){
$pass_word = $this->input->post('pass_word');
die($pass_word);
}
The problem here, it shows the plain password, if I type 123456in controller , I get 123456.
这里的问题,它显示了普通密码,如果我输入123456controller ,我会得到123456.
- Is this a security issue?
- Can any one get my password through a network monitoring tool like
wireshark?
- 这是安全问题吗?
- 任何人都可以通过网络监控工具获取我的密码
wireshark吗?
how to avoid this? Can I encrypt the password in view , before send to the controller? Please help , thanks in advance.
如何避免这种情况?在发送到控制器之前,我可以加密视图中的密码吗?请帮助,提前致谢。
回答by jleft
If your post data (password etc.) was intercepted, then it would just be visible as plaintext. Using SSL/HTTPS will provide encryption for the data that you send. I wouldn't rely on client-side JavaScript or anything similar for the purposes for authenticating / logging in a user. It's likely to give your users more confidence too, seeing that a secure connection is being used.
如果您的帖子数据(密码等)被拦截,那么它只会以纯文本形式显示。使用 SSL/HTTPS 将为您发送的数据提供加密。我不会依赖客户端 JavaScript 或任何类似的东西来验证/登录用户。看到正在使用安全连接,它也可能让您的用户更有信心。
First, I'd just read up about SSL and HTTPS in general, as well as SSL certificates - Wiki, Google and SO would all be be good places to look, there's loads of information out there.
首先,我只是一般地阅读了 SSL 和 HTTPS 以及 SSL 证书 - Wiki、Google 和 SO 都是不错的查看地点,那里有大量信息。
For using SSL/HTTPS with CI, I found these useful:
对于在 CI 中使用 SSL/HTTPS,我发现这些很有用:
- http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/
- http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/
- How can I have CodeIgniter load specific pages using SSL?
- http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/
- http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/
- 如何让 CodeIgniter 使用 SSL 加载特定页面?
In particular the force ssl function from Nigel's post:
特别是Nigel 帖子中的 force ssl 函数:
Create a file in application/helper called ssl_helper.php
在 application/helper 中创建一个名为 ssl_helper.php 的文件
if (!function_exists('force_ssl'))
{
function force_ssl()
{
$CI =& get_instance();
$CI->config->config['base_url'] =
str_replace('http://', 'https://',
$CI->config->config['base_url']);
if ($_SERVER['SERVER_PORT'] != 443)
{
redirect($CI->uri->uri_string());
}
}
}
function remove_ssl()
{
$CI =& get_instance();
$CI->config->config['base_url'] =
str_replace('https://', 'http://',
$CI->config->config['base_url']);
if ($_SERVER['SERVER_PORT'] != 80)
{
redirect($CI->uri->uri_string());
}
}
Load the helper, then in the constructor for any controller that requires ssl, simply insert:
force_ssl();In every controller that you don't want to have ssl put:
if (function_exists('force_ssl')) remove_ssl();
加载助手,然后在任何需要 ssl 的控制器的构造函数中,只需插入:
force_ssl();在您不想让 ssl 放置的每个控制器中:
if (function_exists('force_ssl')) remove_ssl();
This is a programmatic approach, another way would be to use .htaccess (if you're using Apache).
这是一种编程方法,另一种方法是使用 .htaccess(如果您使用的是 Apache)。
回答by Chris
Yes, it's definitely a security issue. Like you say, anyone with Wireshark (or similar) has the potential to intercept it.
是的,这绝对是一个安全问题。就像你说的,任何拥有 Wireshark(或类似)的人都有可能拦截它。
This probably isn't something you want to rely on JavaScript for. Generally you'd use something like SSL/HTTPS, there's a blog post (a little old) detailing how to go about it with CodeIgniter, however it's pretty common so you might be able to find a more recent tutorial with a bit of Googling.
这可能不是您想要依赖 JavaScript 的东西。通常,您会使用 SSL/HTTPS 之类的东西,有一篇博客文章(有点旧)详细介绍了如何使用 CodeIgniter 进行操作,但是它很常见,因此您可以通过一些谷歌搜索找到更新的教程。
http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/.
http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/ .
UPDATE: Lefter's answer provides more detail and is correct, please view it as well/instead
更新:Lefter 的回答提供了更多详细信息并且是正确的,请查看/改为
回答by Chirag Rafaliya
$password = sha1($this->input->post('password'));
or
$hash= $this->input->post('password');
$password= $this->encrypt->sha1($hash);
you can use md5instead of sha1but sha1is more securethen md5... and both md5 & sha1are non-decodable
你可以使用MD5代替SHA-1 ,但SHA1更安全,然后MD5......无一不MD5和SHA1是不可解码
回答by Kabir Hossain
There is a more easy way to user https.
有一种更简单的方法来使用 https。
I put following lines in ./application/config/config.php file and it works perfectly:
我将以下几行放在 ./application/config/config.php 文件中,它运行良好:
$protocol = ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) ? 'https' : 'http';
$config['base_url'] = $protocol.'://www.yoursite.com';
回答by prakashchhetri
Go through http://codeigniter.com/user_guide/libraries/encryption.html. Everything about the encryption and decryption is described here.
浏览http://codeigniter.com/user_guide/libraries/encryption.html。这里描述了有关加密和解密的所有内容。
Performs the data encryption and returns it as a string. Example:
执行数据加密并将其作为字符串返回。例子:
$pass_word = $this->encrypt->encode(input->post('pass_word'));
Decrypts an encoded string. Example:
解密一个编码的字符串。例子:
$encrypted_pass_word = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';
$plaintext_pass_word = $this->encrypt->decode($encrypted_pass_word);
You can optionally pass your encryption key via the second parameter if you don't want to use the one in your config file. Go through the link to read the detail explanation about it.
如果您不想在配置文件中使用加密密钥,您可以选择通过第二个参数传递您的加密密钥。通过链接阅读有关它的详细说明。
