h开发者_如何学JAVAello i explore that when somebody try to write spaces in password field php handle with it as chatter .so how i can prevent it . pleas i want if try to write space get message say dont try to write space
if (strpos($_POST['password'], ' ') !== false) {
echo "Don't try to write space.";
}
This will do the job:
if (strpos($_POST['password'], ' ') !== false) {
echo "Don't try to write space.";
}
BUT... the arguement that Thai(look above) gave is a good one. You shouldn't restrict the user from being able to use spaces and other characters in their password.
$upass = $_POST['password'];
$usalt = substr(md5(uniqid(rand(), true)),0,7);
$upasshash = sha1(md5($upass).$usalt);
Now store the userinformation in your database. For security reasons please clean the $_POST['username']. Also use trim to clean the fields for unnecessary spaces.
$upass = trim($_POST['password']);
$uname = mysql_real_escape_string(trim($_POST['username']));
//Get the from data.
$usalt = substr(md5(uniqid(rand(), true)),0,7);
$upasshash = sha1(md5($upass).$usalt);
//Salt for extra security (prevent attackers from using rainbow tables)
$sql = " INSERT INTO users (uname, upasshash, usalt)
VALUES ('$uname', '$upasshash', '$usalt');";
mysql_query($sql);
An advantage is that you do nmot create overhead in your database on the password field.
The $upasshash
is allways 40 characters long.
UPDATE: This is a way to login the user.
$mysqlcon = dbconnect();
$sql = "SELECT * FROM users WHERE uname = '$unamein';";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1){ //Does the user exists and is it only 1 user?
//Yes 1 match exacly
$fetch = mysql_fetch_assoc($result);
if(sha1(md5($upassin).$fetch['usalt']) == $fetch['upasshash']){ //Are the password hashes equal?
//Yes the hashes are equal
$_SESSION['check'] = true;
$_SESSION['uid'] = $fetch['uid'];
$_SESSION['uname'] = $fetch['uname'];
$message = 'Login succeded!';
}else{
//NO the hashes ar not equal
$message = 'Wrong password and/or username.';
}
mysql_close($mysqlcon);
}else{
// USER doest exist.
$message = 'Wrong password and/or username.';
}
For security reasons, please do not tell them which field they filled in incorrectly.
You could also add a check in JavaScript to improve user experience (faster response time than doing a server round trip). In case you go for this route, don't rely on it exclusively since a user could have JavaScript disabled and also add a check in PHP.
<html>
<head>
<title>JavaScript Form Validation</title>
<script type='text/javascript'>
function validate() {
var pass = document.myForm.passwd.value;
for (var i = 0; i < pass.length; i++) {
if (pass.charAt(i) == ' ') {
alert("Please don't use spaces in the password");
document.myForm.login.disabled = true;
return;
}
}
document.myForm.login.disabled = false;
}
</script>
</head>
<body>
<form method='post' name='myForm'>
<input type='password' name='passwd' id='passwd' onblur='validate()'/>
<input type='submit' name='login' id='login'/>
</form>
</body>
</html>
精彩评论