This article mainly introduces to you about the PHP practice tutorial filtering, verification, escape and password related information, the need for friends can reference, the following to see together.
One, filtering, validation and escaping
1). Do not trust any data from data sources that are not directly controlled by you. including but not limited to:
$_get
$_post
$_request
$_cookie
$argv
Php://stdin
Php://input
File_get_contents ()
Remote Database
Remote API
Data from the client
2). Workaround: Filter the input. Deleting unsafe characters must filter the data before it reaches the application's storage tier. Data that needs to be filtered includes not limited to: HTML, SQL queries, and user profile information.
HTML: Uses htmlentities()
functions to filter HTML into corresponding entities. This function escapes the HTML characters that make up the characters so that they can be rendered safely at the storage layer. The correct way to use it is to use htmlentities($input, ENT_QUOTES, 'UTF-8')
filter input. or use HTML purifier. The disadvantage is slow
SQL queries: Sometimes you have to build SQL queries based on your data. This is where you want to filter the external data using the PDO preprocessing statement.
User profile information: Use filter_var()
and filter_input()
filter user profile information
3). Verify that the data: can also be used filter_var()
, the validation returned successfully to verify the value, and the failure returned false. However, this function cannot validate all the data, so you can use some validation feature components. such as Aura/filter or Symfony/validator.
4) Escape output: You can still use the Htmlentities function, and some template engines have their own escape capabilities.
Password
1). Never know the user's password.
2). Never constrain the user's password, only limit the minimum length.
3). You must never send a user's password using e-mail. You can send a password to change the link, with a token authentication is the user on the line.
4). Use Bcrypt to calculate the hash value of the user's password. Encryption and hashing are not the same thing, encryption is a bidirectional algorithm, encrypted data can be decrypted. But the hash is a single algorithm, the data after the hash cannot be restored, and the data obtained after the same data hash is always the same. Use the database to store the value after the Bcrypt hash password.
5). Use the password hash API to simplify the calculation of password hashes and verify password operations. The following general operations for registered users
post/register.php Http/1.1content-length:43content-type:application/x-www-form-urlencodedemail=xiao@hello.world &password=nihao
Here is the PHP file that accepts this request
<?phptry {$email = Filter_input (input_post, ' email ', filter_validate_email), if (! $email) { throw new Exception (' Invalid email '); } $password = Filter_iput (input_post, ' password '); if (! $password | | mb_strlen ($PASSWORD) < 8) { throw new Exception (' Password must contain 8+ characters ');}//Create password The hash value $passwordHash = Password_hash ( $password, password_default, [' cost ' =] ); PasswordHash = = = False) { throw new Exception (' Password hash failed ');}//create user account, here is the fictitious code $user = new User (); $user-& Gt;email = $email; $user->password_hash = $passwordHash; $user->save (); Header (' http/1.1 302 Redirect '); Header (' Location:/login.php ');} catch (Exception $e) {header (' HTTP1.1-bad Request '); Echo $e->getmessage ();}
6). The third value modified according to the machine's specific computing power password_hash()
. Calculating the hash value generally requires 0.1s-0.5s.
7). The hash value of the password is stored in the varchar(255)
database column of the type.
8). General flow of logged-in users
post/login.php HTTP1.1CONTENT-LENGTH:43CONTENT-TYPE:APPLICATION/X-WWW-FORM-URLENCODEDEMAIL=XIAO@HELLO.WORDL &pasword=nihao
Session_Start (); try {$email = Filter_input (input_post, ' email '); $password = Filter_iinput (input_post, ' Password '); $ user = User::findbyemail ($email); if (Password_verify ($password, $user->password_hash) = = = False) { throw new Exception (' Invalid password);}// Recalculate the hash value of the password $currentHasAlgorithm = Password_default, if necessary; $currentHashOptions = Array (' cost ' = 15); $passwordNeedsRehash = Password_needs_rehash ( $user->password_hash, $currentHasAlgorithm, $ Currenthasoptions); if ($passwordNeedsRehash = = = True) { $user->password_hash = Password_hash ( $password, $ Currenthasalgorithm, $currentHasOptions ); $user->save (); } $_session[' user_logged_in ' = ' yes '; $_session[' user_email '] = $email; Header (' http/1.1 302 Redirect '); Header (' Location:/user-profile.php ');} catch (Exception) {header (' http/1.1 401 Unauthorized '); Echo $e->getmessage ();}
9). The password hash API before the PHP5.5.0 version is not available, and the Ircmaxell/password-compat component is recommended.
Related recommendations:
PHP Verification code class Validatecode
PHP Verification Code class instance sharing
PHP verifies that the phone number entered is legal