Php代码加密客户端输入数据并在服务器端解密
Php code to encrypt client input data and decrypt it at the server side
我想在客户端加密密码并确认密码字段,当它通过某些网络到达服务器端后,它应该再次解密为原始形式。
下面是我写的javascript文件(encs .js)的代码,它将在客户端加密数据。我无法在服务器端解密它。
$(document).ready(function()
{ $("#login_submit").click (
function()
{
var password=$("#password").val();
var pass=CryptoJS.MD5(password).toString();
var q=$("#salt").val();
var encp = CryptoJS.MD5(q + pass).toString();
$("#password").attr('value', encp);
});
});
上面的代码工作得很好,但是我需要一些帮助来解密服务器端的加密数据,这些数据已经在客户端使用CryptoJS.MD5()加密。
下面是客户端网页(register.php)的代码
<?PHP
session_start();
session_regenerate_id(true);
if(!isset($_SESSION['user']))
{
header("location:../login/log.php");
}
else if(($_SESSION['user']) != "admin")
{
echo "<br><br>";
header( "refresh:3; url=nopage.php" );
echo "<center>Access Denied</center>";
echo "<center><a href='nopage.php'>Back</a></center>";
}
else
{
require_once("./include/membersite_config.php");
include_once "../validation/Validator.php";
require("../connection123.php");
$protocol = strpos(strtolower($_SERVER['SERVER_PROTOCOL']),'https')
=== FALSE ? 'http' : 'https';
$host = $_SERVER['HTTP_HOST'];
$script = $_SERVER['SCRIPT_NAME'];
$params = $_SERVER['QUERY_STRING'];
$currentUrl = $protocol . '://' . $host . $script . '?' . $params;
$head=$v->valHeader($currentUrl);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<meta http-equiv="Cache-Control" content="no-store"/>
<meta http-equiv="Cache-Control" content="must-revalidate"/>
<meta http-equiv="Cache-Control" content="private"/>
<meta http-equiv="Cache-Control" content="pre-check=0"/>
<meta http-equiv="Cache-Control" content="post-check=0"/>
<meta http-equiv="Cache-Control" content="max-stale=0"/>
<meta http-equiv="Pragma" content="no-cache"/>
<meta http-equiv="Expires" content="Mon, 26 Jul 1997 05:00:00 GMT"/>
<link rel="STYLESHEET" type="text/css" href="style/fg_membersite.css" />
<script type='text/javascript' src='scripts/gen_validatorv31.js'></script>
<link rel="STYLESHEET" type="text/css" href="style/pwdwidget.css" />
<script src="scripts/pwdwidget.js" type="text/javascript"></script>
<script type="text/javascript">
window.history.forward();
function noBack(){window.history.forward()}
noBack();
window.onload=noBack;
window.onpageshow=function(evt){if(evt.persisted)noBack()}
window.onunload=function(){void(0)}
</script>
<script type="text/javascript" language="javascript" src="../js/jquery-1.8.3.js"></script>
<script type="text/javascript" language="javascript" src="../js/jquery_md5.js"></script>
<script type="text/javascript" language="javascript" src="../js/md5.js"></script>
<script type="text/javascript" language="javascript" src="../js/enc.js"></script>
</head>
<body bgcolor="#FFFFCC">
<?php
$current_url = $_SERVER['REMOTE_ADDR'].$_SERVER['PHP_SELF'];
$v=new validator();
error_reporting(0);
$url=$_SERVER['HTTP_REFERER'];
$headerAdd=$v->valHeader($url);
$salt = substr(md5(uniqid(rand(), true)), 0, 32);
?>
<div align="left">
<table width="1214" border="0">
<tr>
<td width="867"><a href='login-home.php'>Back</a></td>
<?php
// make a random id
$_SESSION["token"] = md5(uniqid(mt_rand(), true));
echo '<td width="331"><a href="logout.php?csrf=' . $_SESSION["token"] . '">Logout</a></td>';
?>
</tr>
</table>
</div>
<?php
$token= md5(uniqid());
$_SESSION['delete_customer_token']= $token;
session_write_close();
?>
<br /><br />
<!-- Form Code Start -->
<div id='fg_membersite'>
<form id='register' name='register' action='afterregister.php' method='post' accept-charset='UTF-8'>
<fieldset >
<legend>Register New Account Here</legend>
<div class='short_explanation'>* Required fields</div>
<div><span class='error'><?php echo $fgmembersite->GetErrorMessage(); ?>
</span></div>
<div class='container'>
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="hidden" name="registeracct" value="Register Account" />
<label for='name' >Your Full Name*: </label><br/>
<input type='text' name='name' id='name' value='' maxlength="30" autocomplete="off" /><br/>
<span id='register_name_errorloc' class='error'></span>
</div>
<div class='container'>
<label for='username' >UserName*:</label><br/>
<input type='text' name='username' id='username' value='' maxlength="30" autocomplete="off"/><font-color='#FF0000'>[Only letters without space]</font>
<input id="salt" type="hidden" name="salt" maxlength=50 value=<?php echo $salt;?>/>
<br/>
<span id='register_username_errorloc' class='error'></span>
</div>
<div class='container' style='height:80px;'>
<label for='username' >Email id*:</label><br/>
<input type='text' name='email' id='email' value='' maxlength="300" autocomplete="off"/><br/>
<label for='p_word' >Password*:</label><br/>
<div class='pwdwidgetdiv' id='thepwddiv' ></div>
<noscript>
<input type='password' name='password' id='password' maxlength="30" autocomplete="off" />
</noscript>
<div id='register_password_errorloc' class='error' style='clear:both'></div>
<label for='p_word' >Confirm Password*:</label><br/>
<div class='pwdwidgetdiv' id='cnfpwddiv' ></div>
<noscript>
<input type='password' name='cnpwd' id='cnpwd' maxlength="30" autocomplete="off" />
</noscript>
<div id='register_password_errorloc' class='error' style='clear:both'></div>
<br/>
</div><br/>
<br/>
<br/>
<br/>
<div class='container'>
<input type="submit" id="login_submit" name="Submit" value="Submit" />
</div>
</fieldset>
</form>
<script type='text/javascript'>
// <![CDATA[
var pwdwidget = new PasswordWidget('thepwddiv','password');
pwdwidget.MakePWDWidget();
var pwdwidget = new PasswordWidget('cnfpwddiv','cnpwd');
pwdwidget.enableGenerate = false;
pwdwidget.MakePWDWidget();
var frmvalidator = new Validator("register");
frmvalidator.EnableOnPageErrorDisplay();
frmvalidator.EnableMsgsTogether();
frmvalidator.addValidation("name","req","Please provide your name");
frmvalidator.addValidation("username","req","Please provide a username");
frmvalidator.addValidation("email","req","Please provide a email-id");
frmvalidator.addValidation("password","req","Please provide a password");
frmvalidator.addValidation("cnpwd","req","Please re-enter password");
// ]]>
</script>
</body>
</html>
<?php
}
?>
Below is the code of server side (afterregister.php)
<?php
session_start();
session_regenerate_id(true);
$s_id=session_id();//PHPSESSID
error_reporting(0);
require("../connection123.php");
include_once "../validation/Validator.php";
include_once "../validation/val.php";
$v=new Validator();
if(mysqli_connect_errno())
{
echo "Connection Failed: " . mysqli_connect_errno();
exit();
}
$array=array('token','registeracct','name','username','salt','email','password','cnpwd','Submit');
$n=$v->array_equal($_POST,$array);
if($n!=0){
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}
$ip="";
if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet
$ip1 = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { //to check ip is pass from proxy
$ip1 = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip1 = $_SERVER['REMOTE_ADDR'];
if(filter_var($ip1,FILTER_VALIDATE_IP)){
$ip=$ip1;
}else{
header("location:../nopage.php");
}
}
$formname="";
if(isset($_POST['registeracct']))
{
$formname= $_POST['registeracct'];
}
$token = $_SESSION['delete_customer_token'];
unset($_SESSION['delete_customer_token']);
session_write_close();
//echo $formname;
$stmt = $mysqli -> prepare("SELECT logindt FROM tblaudit ORDER BY logindt DESC LIMIT 1");
$stmt-> execute();
$stmt->store_result();
$stmt-> bind_result($result1);
$login="";
if($stmt->fetch())
{
$login=$result1;
}
//echo $login;
//echo $ip;
$name1=$v->validateSQLInjectionlogin($_POST['name']);
$name2=$v->xss_protect($name1);
$name=$v->validf_name($name2);
//echo $name;
/** if($name==""){
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}**/
$name1=$v->validateSQLInjectionlogin($_POST['username']);
$usernamee=$v->xss_protect($name1);
$username=$v->validf_name($usernamee);
//echo $username;
$salt1=$v->validateSQLInjectionlogin($_POST['salt']);
$salt=$v->xss_protect($salt1);
$email="";
if(isset($_POST['email']))
{
$email= $_POST['email'];
}
//echo $email;
$name1=$v->validateSQLInjection($_POST['password']);
$password=$v->xss_protect($name1);
//$pass=md5($salt . md5($password));
$pass=md5($password);
//echo $pass;
$cnfpwd1=$v->validateSQLInjection($_POST['cnpwd']);
$cnfpwd=$v->xss_protect($cnfpwd1);
//echo $cnfpwd;
$no='no';
$confirmcode = 'y';
$stmt1 = $mysqli -> prepare("SELECT distinct username FROM users WHERE username=?");
$stmt1->bind_param("s", $username);
$stmt1->execute();
$stmt1->store_result();
$stmt1-> bind_result($result2);
$stmt5 = $mysqli -> prepare("SELECT distinct email FROM users WHERE email=?");
$stmt5->bind_param("s", $email);
$stmt5-> execute();
$stmt5->store_result();
$stmt5->bind_result($result3);
/** if($formname=="" or $name=="" or $username=="" or $salt=="" or $password=="" or $cnfpwd=="" )
{
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}**/
if ($token && $_POST['token']==$token)
{
if($stmt1->fetch())
{
echo "<br><br>";
echo "<center>Username already exists. Please provide a unique username</center>";
echo "<center><a href='register.php'>Back</a></center>";
$stmt1->close();
}
else if (strlen($username) < 5 OR strlen($username) > 20)
{
echo "<br><br>";
echo "<center>Username should be within 5-20 characters long.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
elseif(!preg_match("/^[_a-z0-9-]+('.[_a-z0-9-]+)*@[a-z0-9-]+('.[a-z0-9-]+)*('.[a-z]{2,4})$/i", $email))
{
echo "<br><br>";
echo "<center>Enter a valid Email-id.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
elseif($stmt5->fetch())
{
echo "<br><br>";
echo "<center>Email-id already exists. Please provide a unique email-id</center>";
echo "<center><a href='register.php'>Back</a></center>";
$stmt5->close();
}
else if (!preg_match('/^(?=.*'d)(?=.*[a-z])(?=.*[A-Z])[0-9a-zA-Z]{8,}$/', $password))
{
echo "<br><br>";
echo "<center>Password should contain minimum 8 characters, atleast an uppercase letter, a lowercase letter and a number.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
else if($password != $cnfpwd)
{
echo "<br><br>";
echo "<center>Confirm password not matched!</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
else
{
$stmt2 = $mysqli->prepare("insert into users(name,username,email,password,confirmcode,locked) values(?,?,?,?,?,?)");
$stmt2->bind_param('ssssss',$name,$username,$email,$pass,$confirmcode,$no);
$stmt2->execute();
$stmt3=$mysqli->prepare("insert into session(id,username,salt,session_id) values(?,?,?,?)");
$stmt3->bind_param('ssss',$ip,$username,$salt,$s_id);
$stmt3->execute();
// create the audit trail
//$stmt4 = $mysqli->prepare("insert into tblaudit (uID,editor,formname,whenpost,ip) values(?,?,?,NOW(),?)");
//$stmt4->bind_param('ssss',$userid,$editor,$formname,$ip);
//$stmt4->execute();
$stmt4=$mysqli->prepare("update tblaudit set formname=?, whenpost= NOW() where logindt=?");
$stmt4->bind_param('ss',$formname,$login);
$stmt4->execute();
include "thank-you-regd.html";
$stmt2->close();
$stmt3->close();
$stmt4->close();
$mysqli->close();
}
}
else
{
echo "unable to register a new account";
}
?>
了解SSL
SSL (Secure Sockets Layer)是标准的安全技术在web服务器和浏览器之间建立加密链接。此链接确保所有数据在web服务器和web服务器之间传递浏览器仍然是私有和完整的。
然而,你可以创建你自己的(无用的)加密,但是我建议你使用SSL。
加密类型:https://support.microsoft.com/en-us/kb/246071
非对称加密对称加密是最古老和最著名的技术。密钥,可以是数字、单词或只是一串随机字母,应用于消息的文本以特定的方式改变内容。这可能很简单将每个字母在字母表中移动一些位置。只要…发送方和接收方都知道密钥,他们可以加密和
对称加密——这里有两个相关的密钥——一个密钥对。任何想要发送公钥的人都可以免费获得公钥给你留言。第二,私钥是保密的,所以只有你知道。
非对称加密和对称加密共同创建SSL加密,以便从客户端到服务器通信。
强烈建议您不要尝试重新发明轮子,使用SSL。你在客户端编写的任何加密都很容易被破解,因为JavaScript是可读的。
哈希与加密
MD5 (message-digest algorithm) - s是一种广泛使用的加密哈希函数,产生128位(16字节)哈希值,通常以32位十六进制数的文本格式表示。MD5已广泛应用于各种密码学应用,也常用于验证数据完整性。
哈希,加密是完全不同的术语。散列是一种方法,并且可能有几种匹配的替代模式。加密是用密钥可逆的。阅读更多:http://www.securityinnovationeurope.com/blog/whats-the-difference-between-hashing-and-encrypting
了解Javascript
Javascript—是一种高级的、动态的、无类型的和解释的编程语言。它已经在ECMAScript语言规范中标准化了。
JavaScript不是用来管理安全的。JavaScript主要用于DOM (文档对象模型)操作&其他一些相关的操作。但是,确实具有DOM范围之外的一些功能。
不幸的是,客户端javascript源代码是广泛开放的,每个人都可以看到和检查。你只需右键点击"查看源代码…"或使用firebug或其他工具。
此外,每个不安全的http请求(通过http而不是https = ssl)都作为可读的未加密字符串发送,并且可以从网络中的其他设备监视。
以上两个都意味着你实际上不应该MD5你的用户+传递在客户端js发送到服务器之前,因为它真的不重要,因为用户可以查看你的js源代码,并推断你的盐和安排字符串要散列。因此,如果您向用户发送没有任何加密的+ pass,这真的无关紧要。
为了方便加密,我建议你从你的托管公司(如godaddy)购买ssl计划,并确保他们为你安装它。然后,它只是通过https导航到你的网站的问题。
相关文章:
- 如何使用skip参数使用angular ui引导进行服务器端分页
- Webpack开发服务器和React服务器端渲染
- 提示使用服务器端事件处理程序激活JavaScript
- 使用谷歌应用程序脚本将服务器端数据表返回到客户端
- 如何轻松地将服务器端变量从Java代码转移到客户端代码
- 通过ajax将坐标传递到php服务器端,并在处理后检索到javascript
- 将表单数据提交到服务器端
- 使用ajax的服务器端分页&jQuery
- 显示具有服务器端自动时间注销的同步倒计时计时器
- 使用FormData上传AJAX图像;t在服务器端显示图像
- React路由器服务器端渲染和ajax获取数据
- renderReact/Rect Router+Node/Express.js的服务器端/同构渲染中未定义renderP
- 使用 JavaScript 加密字符串并从服务器端 (Java) 解密
- Javascript 加密库(客户端加密 | 服务器端解密)
- 填充无效,无法使用CryptoJS 3.1加密和服务器端AesCryptoServiceProvider解密来删除
- 在服务器端加密数据,在客户端解密数据
- 客户端和服务器端的Asp.net C#加密/解密
- Php代码加密客户端输入数据并在服务器端解密
- 是否有可能在服务器端加密并在客户端解密(使用javascript)
- 在服务器端加密(使用java),在客户端解密(使用任何javascript加密库)
