$salt = $this->get_salt($username);
if (is_null($salt)) {
return FALSE;
}
$password = sha1(SITE_KEY . $password . $salt);
$sth = $this->db->prepare("SELECT id, username, active FROM user WHERE username = ? AND password = ?");
$sth->setFetchMode(PDO::FETCH_OBJ);
$sth->execute(array($username, $password));
if (($result = $sth->fetch()) !== FALSE) {
return $result;
}
return FALSE;
这就是让我担心的:
I did not misunderstand the login method. I just don't think it should return that object. I may be wrong and what you are doing is perfectly fine, but I doubt it. You are returning the full user object from the database, password and all, to a potentially insecure script. Someone could potentially create a new file and then do something like var_dump($userObject); and have all that information
Also, I just find it unintuitive to return a "magic" property from something. It's just another one of those things that is not verified before being used. If you were to move that to a separate method in your auth class and have it return the value of "active" you could run any verification you needed to without your login.php script being any the wiser.
: Looked at it again, and while you would already need to know the login information if you were to abuse that object in that way. It is still better, in my opinion, to separate it in case there is some sort of leak. Not saying I know how someone would be able to do it. Just think of it as one less potential loop hole.
I don't pretend to understand how malicious users would do something. I just know that making it easier for them to do so doesn't seem wise. Maybe there isn't anything wrong with it, I'm not a security expert. I'm just poking at things that, if I were to write it, I would change because they seem hazardous to me. If you truly wish to know if it is dangerous or not, I'd suggest submitting that example to the regular stackoverflow community to see what they say.
他的话有道理吗?该方法将在我拥有的页面 Controller 中使用:
$user = $auth->login('username, password)
if ($user) {
//do some additional checks... set session variables
}
最佳答案
不,您提供的代码不安全。
首先,您使用的是非迭代的简单哈希。参见 this answer和 this blog post有关原因的信息。
第二,为什么要单独存放盐? salt 必须对于每条记录都是唯一的,这样才能正常工作。所以把它放在密码旁边的合乎逻辑的地方。在这种情况下,您将进行两个查询而不是一个查询(假设盐不是从用户名派生的,并且确实是随机的)。如果它不是随机的,它应该是。参见 this post更多信息...
第三,您会暴露于针对密码哈希的定时攻击,因为数据库未使用定时免疫比较。参见 this article和 this article获取更多信息。
不要自己做。安全地做到这一点真的很困难。使用图书馆。您可以使用 PHPASS或 PHP-PasswordLib ...
I did not misunderstand the login method. I just don't think it should return that object. I may be wrong and what you are doing is perfectly fine, but I doubt it. You are returning the full user object from the database, password and all, to a potentially insecure script. Someone could potentially create a new file and then do something like var_dump($userObject); and have all that information
这是一个有效的观点。但此时,如果用户可以注入(inject) var_dump($userObject),他可以运行 $this->db->prepare("SELECT * FROM user");并获取所有您的用户数据,而不仅仅是他的。因此,尽管需要指出这一点,但不值得尝试保护它。除非你真的很讨厌,并将所有这些都放入数据库中的存储过程中,并限制从表中读取访问权限(所以你根本无法从用户表中进行选择)。但到那时,您需要从头开始重新设计整个应用程序,因为除非通过 SP,否则您永远无法获得任何用户信息。这很难做好(复杂性是安全的敌人)。
最后,我认为您首先可以远更好地防御脚本注入(inject)。特别是如果您没有专业的管理员来保护您的服务器以防止这种攻击所需的可笑数量(PHP 进程上的 chroot jail 等)。
Also, I just find it unintuitive to return a "magic" property from something. It's just another one of those things that is not verified before being used. If you were to move that to a separate method in your auth class and have it return the value of "active" you could run any verification you needed to without your login.php script being any the wiser.
有什么神奇的属性?您是否直接使用这些项目?还是您正在使用它们来填充用户对象(然后知道如何处理数据)...?就那个 snippit,我没有看到你的 friend 指出的问题......
: Looked at it again, and while you would already need to know the login information if you were to abuse that object in that way. It is still better, in my opinion, to separate it in case there is some sort of leak. Not saying I know how someone would be able to do it. Just think of it as one less potential loop hole.
实际上,由于上面确定的定时攻击,您只需要知道一个有效的用户名...
I don't pretend to understand how malicious users would do something. I just know that making it easier for them to do so doesn't seem wise. Maybe there isn't anything wrong with it, I'm not a security expert. I'm just poking at things that, if I were to write it, I would change because they seem hazardous to me. If you truly wish to know if it is dangerous or not, I'd suggest submitting that example to the regular stackoverflow community to see what they say.
总的来说这是个好建议。请记住,复杂性是安全性的敌人。因此,如果让它变得更难会增加很多复杂性,那么添加新漏洞的机会就会大大增加(例如引入的定时攻击)。我在简单性方面犯了错误。我拥有经过良好测试的库,可以处理复杂的部分(如密码散列),但我编写的代码很简单。
考虑最强的加密算法:One Time Pad .该算法非常简单:
encrypted = plaintext XOR key
但是没有 key 是不可能解密的。所以算法的安全其实在于 secret ,而不在于算法。这就是你想要的。该算法应该是公开的,安全性不应依赖于它的保密性。否则它会通过默默无闻而变得安全。这会给你一种温暖的毛茸茸的感觉,直到你崩溃......
关于php - 这是一种安全的方法吗,哎呀,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10557440/
我正在学习如何使用Nokogiri,根据这段代码我遇到了一些问题:require'rubygems'require'mechanize'post_agent=WWW::Mechanize.newpost_page=post_agent.get('http://www.vbulletin.org/forum/showthread.php?t=230708')puts"\nabsolutepathwithtbodygivesnil"putspost_page.parser.xpath('/html/body/div/div/div/div/div/table/tbody/tr/td/div
总的来说,我对ruby还比较陌生,我正在为我正在创建的对象编写一些rspec测试用例。许多测试用例都非常基础,我只是想确保正确填充和返回值。我想知道是否有办法使用循环结构来执行此操作。不必为我要测试的每个方法都设置一个assertEquals。例如:describeitem,"TestingtheItem"doit"willhaveanullvaluetostart"doitem=Item.new#HereIcoulddotheitem.name.shouldbe_nil#thenIcoulddoitem.category.shouldbe_nilendend但我想要一些方法来使用
类classAprivatedeffooputs:fooendpublicdefbarputs:barendprivatedefzimputs:zimendprotecteddefdibputs:dibendendA的实例a=A.new测试a.foorescueputs:faila.barrescueputs:faila.zimrescueputs:faila.dibrescueputs:faila.gazrescueputs:fail测试输出failbarfailfailfail.发送测试[:foo,:bar,:zim,:dib,:gaz].each{|m|a.send(m)resc
我正在尝试设置一个puppet节点,但rubygems似乎不正常。如果我通过它自己的二进制文件(/usr/lib/ruby/gems/1.8/gems/facter-1.5.8/bin/facter)在cli上运行facter,它工作正常,但如果我通过由rubygems(/usr/bin/facter)安装的二进制文件,它抛出:/usr/lib/ruby/1.8/facter/uptime.rb:11:undefinedmethod`get_uptime'forFacter::Util::Uptime:Module(NoMethodError)from/usr/lib/ruby
我想了解Ruby方法methods()是如何工作的。我尝试使用“ruby方法”在Google上搜索,但这不是我需要的。我也看过ruby-doc.org,但我没有找到这种方法。你能详细解释一下它是如何工作的或者给我一个链接吗?更新我用methods()方法做了实验,得到了这样的结果:'labrat'代码classFirstdeffirst_instance_mymethodenddefself.first_class_mymethodendendclassSecond使用类#returnsavailablemethodslistforclassandancestorsputsSeco
我在我的项目中添加了一个系统来重置用户密码并通过电子邮件将密码发送给他,以防他忘记密码。昨天它运行良好(当我实现它时)。当我今天尝试启动服务器时,出现以下错误。=>BootingWEBrick=>Rails3.2.1applicationstartingindevelopmentonhttp://0.0.0.0:3000=>Callwith-dtodetach=>Ctrl-CtoshutdownserverExiting/Users/vinayshenoy/.rvm/gems/ruby-1.9.3-p0/gems/actionmailer-3.2.1/lib/action_mailer
设置:狂欢ruby1.9.2高线(1.6.13)描述:我已经相当习惯在其他一些项目中使用highline,但已经有几个月没有使用它了。现在,在Ruby1.9.2上全新安装时,它似乎不允许在同一行回答提示。所以以前我会看到类似的东西:require"highline/import"ask"Whatisyourfavoritecolor?"并得到:Whatisyourfavoritecolor?|现在我看到类似的东西:Whatisyourfavoritecolor?|竖线(|)符号是我的终端光标。知道为什么会发生这种变化吗? 最佳答案
我已经从我的命令行中获得了一切,所以我可以运行rubymyfile并且它可以正常工作。但是当我尝试从sublime中运行它时,我得到了undefinedmethod`require_relative'formain:Object有人知道我的sublime设置中缺少什么吗?我正在使用OSX并安装了rvm。 最佳答案 或者,您可以只使用“require”,它应该可以正常工作。我认为“require_relative”仅适用于ruby1.9+ 关于ruby-主要:Objectwhenrun
我正在编写一个小脚本来定位aws存储桶中的特定文件,并创建一个临时验证的url以发送给同事。(理想情况下,这将创建类似于在控制台上右键单击存储桶中的文件并复制链接地址的结果)。我研究过回形针,它似乎不符合这个标准,但我可能只是不知道它的全部功能。我尝试了以下方法:defauthenticated_url(file_name,bucket)AWS::S3::S3Object.url_for(file_name,bucket,:secure=>true,:expires=>20*60)end产生这种类型的结果:...-1.amazonaws.com/file_path/file.zip.A
我有一个具有一些属性的模型:attr1、attr2和attr3。我需要在不执行回调和验证的情况下更新此属性。我找到了update_column方法,但我想同时更新三个属性。我需要这样的东西:update_columns({attr1:val1,attr2:val2,attr3:val3})代替update_column(attr1,val1)update_column(attr2,val2)update_column(attr3,val3) 最佳答案 您可以使用update_columns(attr1:val1,attr2:val2