无需数据库存储用户名和密码的最佳方法
我想用 PHP 构建一个简单的单用户登录“库”,但我面临以下困境:如果我不使用数据库,我应该如何存储用户名和密码?
一个简单的纯文本文件可以很容易地读取,然后密码可以很容易地被解密,所以这不是一个选择。
如果我创建一个 php 文件,那么
<?php
$Username= "username";
$Password= "password";
?>
没有人应该能够读取它,我可以简单地将这个文件包含在我需要的地方,但我不确定您是否找不到更好的方法来做到这一点!
那么,您认为解决这个问题的最佳解决方案是什么(以及为什么)?
谢谢
I want to build a simple single user login "library" in PHP, but I'm facing the following dilemma: how should I store username and password if I'm not using a database?
A simple plain text file could be easily read and then the password could be easily decripted so that's not an option.
If I create a php file with just
<?php
$Username= "username";
$Password= "password";
?>
then no one should be able to read it and I could simply include this file where I need it, but I'm not really sure you can't find a better way to do this!
So what's, in your opinion, the best solution to this problem (and why)?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
纯文本文件是一个选项,它是这里最简单的解决方案。只需对密码进行哈希处理(使用 salt)。它不能可靠地解密。
您可以使用 PHP 的
md5或sha1哈希函数。A plain text file is an option, and it's the simplest solution here. Simply hash the password (with salt). It is not reliably decryptable.
You can use PHP's
md5orsha1hash functions for this.您可以将其存储在文件中并使用 SHA1/SHA2 哈希,这样它就无法被解密。
You can store it in a file and use a SHA1/SHA2 hash, that way it can't be decrypted.
如果您需要多个帐户,纯文本文件会比使用 PHP 源文件更容易。我认为您担心人们通过浏览器请求文件?
检查您的网络主机是否具有某种不可公开访问的目录,例如实际网络内容所在的父目录。 PHP 通常能够在那里读写,但无法通过网络访问。
文件权限和/或 .htaccess 文件 (Apache) 可能会帮助您如果没有您可以访问的此类目录。
我建议您使用 crypt 函数来存储密码(哈希),而不是而不是存储简单的密码。这是一个与您存储它们的位置不同的问题:)
If you need multiple accounts, a plain text file would be easier than using a PHP source file. I think you're worried about people requesting the file through their browser though?
Check if your web host has some kind of directory that isn't publically accessible, for example a parent directory of where the actual web content is. PHP will usually be able to read and write there, but it won't be accessible through the web.
File permissions and/or .htaccess files (Apache) may help you if there is no such directory you have access to.
I suggest you use the crypt function to store the password (hash), rather than storing plain passwords. This is a separate issue from where you are storing them though :)
您可以使用带有 哈希 或 crypt 函数。
如果您有很多用户,它很可靠,但不太灵活。
您还可以使用SQLite,它是一个数据库,但不是服务器,它存储在一个简单的文件中。
如果您无法安装 SQL Server,但想要存储大量用户并拥有更大的灵活性,这是一个很好的折衷方案。
根据您想要执行的操作,.htaccess可能是一个很好的解决方案。
它已经很安全,但作为纯文本解决方案,它不灵活。但它几乎内置了所有 Apache 配置。
You can use a plain text file with a hash or crypt function.
It's reliable but not really flexible if you have a lot of users.
You can also use SQLite which is a database but which isn't a server and which is stored in a simple file.
It's a nice compromise if you can't install a SQL server but want to store a lot users and have more flexibility.
Depending on what you want to do, an .htaccess could be a good solution.
It's already secure but as the plain text solution it's not rely flexible. But it's built-in almost all Apache configuration.
如果只有一个用户,那么拥有用户名的目的是什么?
不妨使用 .htaccess 管理权限...
What is the purpose of having a username if there's only ever one user?
Might as well just manage permissions using .htaccess...
(这最初是对 Daniel DiPaolo 的评论,回应 Mokuchan。)
如果您想存储密码(无论位置如何),您可以使用以下方案:
$hashedPassword = $salt 。哈希($盐。$密码);
哈希密码的存储位置应该是安全的。无论是在数据库中还是在具有适当权限设置的文件中。
如果一个文件,您的用户 bob 密码 secret 的“记录”看起来像这样(使用 BCrypt 哈希):
任何人都无法“解密”密码。这就是使用哈希算法的全部意义:它是不可逆的。
您声明:
由于哈希算法是不可逆的,因此这是不可能的。 (没有“解密”选项)
我最好的猜测是,您指的是一个从预先计算的表中查找哈希值的工具,它返回一个有效的输入字符串,可能是您的密码。
这些表称为 彩虹表。它们可以通过 A) 使用随机盐和 B) 使用强大的散列算法(例如 BCrypt 散列或 SHA2 系列散列)来击败。
关于不正确的散列算法:MD5 和 SHA1 被认为是加密损坏的。换句话说:您不应该再使用它们。
有关此问题的讨论,请参阅:https://stackoverflow.com/questions/2768248/is- md5-真的那么糟糕
(This started out as a comment to Daniel DiPaolo, in response to Mokuchan.)
If you want to store a password (no matter the location), you use the following scheme:
$hashedPassword = $salt . hash( $salt . $password);
The storage location of the hashed password should be safe. Be it in a database or in a file with the proper permissions set.
If a file, your 'record' for the user bob with password secret would look something like this (using BCrypt Hash):
There is no way for anyone to 'decrypt' the password. That's the whole point of using a Hashing algorithm: it is non-reversible.
You state that:
As hashing algorithms are non-reversible, this is not possible. (There is no 'decrypt' option)
My best guess is that you are referring to a tool that looked up a hash from a precomputed table and it returned a valid input string, likely to be your password.
These tables are called rainbow tables. They can be defeated by A) using a random salt and B) using a strong hashing algorithm (BCrypt hash or SHA2-family hash for example)
Regarding improper hashing algorithms: MD5 and SHA1 are considered cryptographically broken. In other words: you should not be using them any more.
For a discussion on this, see: https://stackoverflow.com/questions/2768248/is-md5-really-that-bad
所有那些说你可以加密密码的人也是如此。
另外,不要将文件放入文档树中。将文件放在其他地方。您的 PHP 程序应该仍然能够通过指定绝对路径或“..”相对路径来读取它,无论层次结构有多少级别,然后到达文件所在的位置。 (在 Java 应用程序中,有一个 WEB-INF 目录可以方便地存储此类内容。我认为 PHP 中没有类似的东西 —— 我已经有一段时间没有做过任何 PHP 了 —— 但你可以始终将文件完全放在应用程序的目录层次结构之外。)
Ditto to all those saying you can encrypt the password.
Also, don't put the file in the document tree. Put the file somewhere else. Your PHP program should still be able to read it by specifying an absolute path or a relative path that goes ".." however many levels to work up the hierarchy and then to where the file is. (In Java apps, there's a WEB-INF directory that is convenient for storing this sort of stuff. I don't think there's anything like that in PHP -- it's been a while since I've done any PHPing -- but you can always just put the file completely outside your application's directory hierarchy.)
不要重新发明轮子,使用这个 http://pear.php.net/manual/en/package.fileformats.file-passwd.file-passwd-unix.php
Do not reinvent the wheel, use this one http://pear.php.net/manual/en/package.fileformats.file-passwd.file-passwd-unix.php
最好的方法是
$password_hash = hash("sha256", "iamawesome");
// 4aa4029d0d0265c566c934de4f5e0a36496c59c54b6df8a72d9c52bdf0c1a0e8
$user_entered = hash("sha256", $_POST['password']);
返回($user_entered == $password_from_db);
hashin 将保护您的密码。
详细文章:http ://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way
The best way to do is
$password_hash = hash("sha256", "iamawesome");
// 4aa4029d0d0265c566c934de4f5e0a36496c59c54b6df8a72d9c52bdf0c1a0e8
$user_entered = hash("sha256", $_POST['password']);
return ($user_entered == $password_from_db);
hashin will secure your password..
detailed article : http://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way