自动登录和密码存储
我编写了一个简单的 PHP 脚本来登录我的手机提供商的网站,检查我的余额,如果余额太低,则向我发送电子邮件。我把脚本放在远程服务器上。
看来我必须将密码以明文形式存储在脚本中才能将其发送到登录页面。但是,我有点不愿意这样做......
$user="foo";
$password="blah";
有更安全的方法吗?
I wrote a simple PHP script to log into my mobile phone provider's website, check my balance, and send me an email if it's too low. I put the script on a distant server.
It seems that I have to store my password as plaintext in the script to be able to send it to the login page. However, I am a little bit reluctant to do this...
$user="foo";
$password="blah";
Is there a more secure way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果有人有权访问源,您无法保护能够自动登录的系统。让我们尝试证明一下。
如果您从场景安全的假设开始,这就是矛盾证明。
更新:但是,如果您想让它比纯文本更难,那么可以使用对称密钥。
You cannot secure a system which is capable of logging you in automatically if someone has access to the source. Let's try to prove it.
This is proof by contradiction if you start with the hypothesis that the scenario is secure.
Update: But if you want to just make it harder than plain-text then can use a symmetric key.
有多种方法可以对其进行混淆,但最终,如果有人有权访问该文件,那么这些方法都不比纯文本安全得多,因为您还需要对其进行解码才能登录提供商的网站。
There are ways to obfuscate it, but ultimately none of those are much safer than plaintext if someone has access to the file - since you also need to decode it there to be able to log in on the provider's site.
该脚本能够让您在无人值守的情况下登录到您的提供商。
这意味着控制该脚本的任何人也将具有此功能,可以通过运行该脚本来使用。
你无能为力阻止这种情况发生。唯一的解决方案是要么忍受密码可能被泄露的情况,要么只将脚本放置在您控制的服务器上。
The script has the capability to log you in to your provider unattended.
This means that anyone who controls the script will also have this capability, usable by running the script.
Nothing you can do will prevent this. The only solution is to either live with the potential compromise of your password, or to only place the script on a server you control.
如果你想做得太过分,你可以这样设置:你的密码存储在使用 aes_encrpyt 加密的 mysql 数据库中,然后你在另一台服务器上创建另一个脚本来调用使用您的密码向服务器请求密码,方法是提供与
aes_decrypt
函数一起使用的盐。If you want to go overboard on it you could set it up in such a way that your password is stored in a mysql database encrypted using
aes_encrpyt
and then you create another script on another server that makes calls to the server with your password requesting the password by providing the salt for use with theaes_decrypt
function.