I'm building an app that will store some of our clients details, things like usernames / passwords, information that we need to remember and keep secure.
我正在构建一个应用程序,它将存储我们的一些客户详细信息,例如用户名/密码,我们需要记住的信息并保持安全。
What's the best method for storing this information securely?
安全存储此信息的最佳方法是什么?
5 个解决方案
#1
Such an open-ended question with not a lot of detail to go on. I'd suggest reading Chris Shiflett's excellent "Essential PHP Security" before you go any further. It's short, to the point and very practical.
这样一个开放式的问题,没有太多的细节可以继续。在你再继续之前,我建议你阅读Chris Shiflett出色的“Essential PHP Security”。这很简单,非常实用。
There's also a reasonable amount of the advice available from the book's website too at http://phpsecurity.org/
在http://phpsecurity.org/上也可以从该书的网站获得合理数量的建议。
#2
Devlounge have a very good article on security.
Devlounge有一篇关于安全性的非常好的文章。
#3
Using a PHP framework for security
If you want to get PHP security setup quickly without doing a load of research, a PHP framework would be a good idea.
如果您想在不进行大量研究的情况下快速获得PHP安全设置,那么PHP框架将是一个好主意。
I am a fan of CodeIgniter but other options include CakePHP and Zend.
我是CodeIgniter的粉丝,但其他选项包括CakePHP和Zend。
Using a framework for security will mean you get a tried and tested method straight away, however there may be some time and effort needed to learn the framework.
使用安全框架意味着您可以立即获得经过试验和测试的方法,但是学习框架可能需要一些时间和精力。
A total list of PHP frameworks can be found on wikipedia.
可以在*上找到PHP框架的完整列表。
#4
Pretty simple actually. Set up a quick MySQL database, and a user table. In that user table, store the usernames in a column and a hashed version of the password in another column.
其实很简单。设置快速MySQL数据库和用户表。在该用户表中,将用户名存储在列中,并将密码的散列版本存储在另一列中。
As added security, I like to generate a random 8 character string and store that as well in each row - I call that column the "Keycode". When the user signs in with a correct username / password, I store their authentication in session variables AS WELL as the matching "Keycode".
作为增加的安全性,我喜欢生成随机的8个字符串并将其存储在每一行中 - 我将该列称为“Keycode”。当用户使用正确的用户名/密码登录时,我将他们的身份验证存储在会话变量AS WELL中作为匹配的“密钥代码”。
That way, the session authentication can not only look for the right username / password, but quickly query the db, and check to see if the "Keycode" stored in the session variable is the same as the keycode in the row.
这样,会话身份验证不仅可以查找正确的用户名/密码,还可以快速查询数据库,并检查存储在会话变量中的“密钥代码”是否与行中的密钥代码相同。
It works well because not even the user knows their keycode.
它运行良好,因为即使用户不知道他们的密钥代码。
#5
As far as passwords go you should store a hash of the password. Whenever you authenticate the user, you hash their inputted password and compare the result with what you've stored. This way you aren't storing the actual password.
至于密码,你应该存储密码的哈希值。每当您对用户进行身份验证时,您都会对输入的密码进行哈希处理,并将结果与您存储的内容进行比较。这样您就不会存储实际密码。
#1
Such an open-ended question with not a lot of detail to go on. I'd suggest reading Chris Shiflett's excellent "Essential PHP Security" before you go any further. It's short, to the point and very practical.
这样一个开放式的问题,没有太多的细节可以继续。在你再继续之前,我建议你阅读Chris Shiflett出色的“Essential PHP Security”。这很简单,非常实用。
There's also a reasonable amount of the advice available from the book's website too at http://phpsecurity.org/
在http://phpsecurity.org/上也可以从该书的网站获得合理数量的建议。
#2
Devlounge have a very good article on security.
Devlounge有一篇关于安全性的非常好的文章。
#3
Using a PHP framework for security
If you want to get PHP security setup quickly without doing a load of research, a PHP framework would be a good idea.
如果您想在不进行大量研究的情况下快速获得PHP安全设置,那么PHP框架将是一个好主意。
I am a fan of CodeIgniter but other options include CakePHP and Zend.
我是CodeIgniter的粉丝,但其他选项包括CakePHP和Zend。
Using a framework for security will mean you get a tried and tested method straight away, however there may be some time and effort needed to learn the framework.
使用安全框架意味着您可以立即获得经过试验和测试的方法,但是学习框架可能需要一些时间和精力。
A total list of PHP frameworks can be found on wikipedia.
可以在*上找到PHP框架的完整列表。
#4
Pretty simple actually. Set up a quick MySQL database, and a user table. In that user table, store the usernames in a column and a hashed version of the password in another column.
其实很简单。设置快速MySQL数据库和用户表。在该用户表中,将用户名存储在列中,并将密码的散列版本存储在另一列中。
As added security, I like to generate a random 8 character string and store that as well in each row - I call that column the "Keycode". When the user signs in with a correct username / password, I store their authentication in session variables AS WELL as the matching "Keycode".
作为增加的安全性,我喜欢生成随机的8个字符串并将其存储在每一行中 - 我将该列称为“Keycode”。当用户使用正确的用户名/密码登录时,我将他们的身份验证存储在会话变量AS WELL中作为匹配的“密钥代码”。
That way, the session authentication can not only look for the right username / password, but quickly query the db, and check to see if the "Keycode" stored in the session variable is the same as the keycode in the row.
这样,会话身份验证不仅可以查找正确的用户名/密码,还可以快速查询数据库,并检查存储在会话变量中的“密钥代码”是否与行中的密钥代码相同。
It works well because not even the user knows their keycode.
它运行良好,因为即使用户不知道他们的密钥代码。
#5
As far as passwords go you should store a hash of the password. Whenever you authenticate the user, you hash their inputted password and compare the result with what you've stored. This way you aren't storing the actual password.
至于密码,你应该存储密码的哈希值。每当您对用户进行身份验证时,您都会对输入的密码进行哈希处理,并将结果与您存储的内容进行比较。这样您就不会存储实际密码。