Question
Is this post on WikiHow a good reference to create a secure login script in PHP and MySQL? In the warnings section, the author(s) emphasizes that the code only can be used with HTTPS. I am not able to use HTTPS, but need to implement a relatively secure login script in PHP and MySQL, and was therefore wondering if the script could be implemented for an HTTP connection as well.
这篇文章在WikiHow上是一个很好的参考,在PHP和MySQL中创建一个安全的登录脚本?在警告部分,作者强调该代码只能与HTTPS一起使用。我无法使用HTTPS,但需要在PHP和MySQL中实现相对安全的登录脚本,因此想知道脚本是否也可以为HTTP连接实现。
Solved
A third party solution is the best solution to create a secure login script in PHP and MySQL. By utilizing a PHP framework (e.g. Symfony, uLogin) or external parties (e.g. Facebook, Google), the need to create an entirely new working login script plus authorization (the Remember-Me functionality) can be avoided. If others have done thorough research and gained experience to create login functionalities, it is much safer and easier to use their work.
第三方解决方案是在PHP和MySQL中创建安全登录脚本的最佳解决方案。通过利用PHP框架(例如Symfony,uLogin)或外部各方(例如Facebook,Google),可以避免创建全新的工作登录脚本和授权(Remember-Me功能)的需要。如果其他人已经进行了彻底的研究并获得了创建登录功能的经验,那么使用他们的工作会更加安全和容易。
2 个解决方案
#1
7
Although you could create a login system yourself, it is strongly recommended to let external parties do it for you.
虽然您可以自己创建登录系统,但强烈建议让外部各方为您执行此操作。
It takes a lot of experience to get it right, and it is so often done wrong.
要想做到这一点需要很多经验,而且往往做错了。
Although the tutorial looks okay to me, there are just so many factors that to consider, and it also seems to be semi-old. PHP 5.5 offers password_hash and password_verify, which I would recommend over what your page suggests.
虽然这个教程看起来不错,但是有很多因素需要考虑,而且它似乎也是半岁的。 PHP 5.5提供了password_hash和password_verify,我推荐你的页面建议。
So if you have to make your own system; consider making use of the above-mentioned functions, if you're restricted to lower php versions, there are backports up to version 5.3.7 available.
所以,如果你必须建立自己的系统;考虑使用上述功能,如果你只限于较低的php版本,则可以使用5.3.7版本的反向端口。
If you don't have to make your own system, make use of external parties (Google, Facebook) to handle the logging in for you, or make use of a framework that has authentication support.
如果您不必制作自己的系统,请使用外部各方(Google,Facebook)为您处理登录,或使用具有身份验证支持的框架。
So in the general gist of it: Don't try to do it yourself, make use of what other people offer which years of experience in it. As it is incredibly difficult to get it right.
因此,在它的一般要点:不要试图自己做,利用其他人提供多年的经验。因为要做到这一点非常困难。
#2
3
This script securely encrypts the user's entered password in their browser and clears the plaintext password field prior to the form's submission, so the password can't be read by any third-party. To that extent, the script can be used safely over HTTP.
此脚本在其浏览器中安全地加密用户输入的密码,并在表单提交之前清除明文密码字段,因此任何第三方都无法读取密码。在这种程度上,脚本可以通过HTTP安全使用。
However, the rest of the form's data - user's name, email address, etc. - is not sent securely, so a third-party (e.g. man in the middle) could identify the user just by reading his/her (non-encrypted) personally-identifiable information being sent by the form. Not only does this leave your users vulnerable, but insecure handling of users data can leave your employer/client open to legal risk in case the data is ever sniffed/hacked/stolen.
但是,表单的其余部分 - 用户的姓名,电子邮件地址等 - 不会安全发送,因此第三方(例如中间的人)只需通过阅读他/她(未加密)即可识别用户表格发送的个人身份信息。这不仅会使您的用户容易受到攻击,而且对用户数据的不安全处理可能会使您的雇主/客户面临法律风险,以防数据遭到嗅探/入侵/被盗。
There's also the real risk that a man-in-the-middle could intercept the transmitted data and modify it undetected before it's received by the server hosting your script. HTTPS/SSL not only protects passwords but also ensures that no data is tampered with.
还有一个真正的风险是,中间人可以拦截传输的数据并在托管脚本的服务器收到之前对其进行修改。 HTTPS / SSL不仅可以保护密码,还可以确保没有数据被篡改。
As Zarthus mentioned, best course of action is to go with a third-party solution, especially if you can't offer HTTPS for yours.
正如Zarthus所说,最好的做法是使用第三方解决方案,特别是如果你不能为你提供HTTPS。
#1
7
Although you could create a login system yourself, it is strongly recommended to let external parties do it for you.
虽然您可以自己创建登录系统,但强烈建议让外部各方为您执行此操作。
It takes a lot of experience to get it right, and it is so often done wrong.
要想做到这一点需要很多经验,而且往往做错了。
Although the tutorial looks okay to me, there are just so many factors that to consider, and it also seems to be semi-old. PHP 5.5 offers password_hash and password_verify, which I would recommend over what your page suggests.
虽然这个教程看起来不错,但是有很多因素需要考虑,而且它似乎也是半岁的。 PHP 5.5提供了password_hash和password_verify,我推荐你的页面建议。
So if you have to make your own system; consider making use of the above-mentioned functions, if you're restricted to lower php versions, there are backports up to version 5.3.7 available.
所以,如果你必须建立自己的系统;考虑使用上述功能,如果你只限于较低的php版本,则可以使用5.3.7版本的反向端口。
If you don't have to make your own system, make use of external parties (Google, Facebook) to handle the logging in for you, or make use of a framework that has authentication support.
如果您不必制作自己的系统,请使用外部各方(Google,Facebook)为您处理登录,或使用具有身份验证支持的框架。
So in the general gist of it: Don't try to do it yourself, make use of what other people offer which years of experience in it. As it is incredibly difficult to get it right.
因此,在它的一般要点:不要试图自己做,利用其他人提供多年的经验。因为要做到这一点非常困难。
#2
3
This script securely encrypts the user's entered password in their browser and clears the plaintext password field prior to the form's submission, so the password can't be read by any third-party. To that extent, the script can be used safely over HTTP.
此脚本在其浏览器中安全地加密用户输入的密码,并在表单提交之前清除明文密码字段,因此任何第三方都无法读取密码。在这种程度上,脚本可以通过HTTP安全使用。
However, the rest of the form's data - user's name, email address, etc. - is not sent securely, so a third-party (e.g. man in the middle) could identify the user just by reading his/her (non-encrypted) personally-identifiable information being sent by the form. Not only does this leave your users vulnerable, but insecure handling of users data can leave your employer/client open to legal risk in case the data is ever sniffed/hacked/stolen.
但是,表单的其余部分 - 用户的姓名,电子邮件地址等 - 不会安全发送,因此第三方(例如中间的人)只需通过阅读他/她(未加密)即可识别用户表格发送的个人身份信息。这不仅会使您的用户容易受到攻击,而且对用户数据的不安全处理可能会使您的雇主/客户面临法律风险,以防数据遭到嗅探/入侵/被盗。
There's also the real risk that a man-in-the-middle could intercept the transmitted data and modify it undetected before it's received by the server hosting your script. HTTPS/SSL not only protects passwords but also ensures that no data is tampered with.
还有一个真正的风险是,中间人可以拦截传输的数据并在托管脚本的服务器收到之前对其进行修改。 HTTPS / SSL不仅可以保护密码,还可以确保没有数据被篡改。
As Zarthus mentioned, best course of action is to go with a third-party solution, especially if you can't offer HTTPS for yours.
正如Zarthus所说,最好的做法是使用第三方解决方案,特别是如果你不能为你提供HTTPS。