问题
I have a login system which is an html form and I need to send the username and password back to the php backend where I can there securely encrypt it and store it in a database. I was wondering what the most up to date and secure method of doing this is. Bearing in mind that this is the barebones string form of the password it is very important to be vigilant of the most secure way of passing it back. I know that $_GET and $_POST are extremely unsecure. Do I encrypt the data in javascript before it is sent back to the server hence the javascript hashing algorithm being laid bare to the end user or is simply https encryption sufficient? If I have https encryption would I then simply pass it back using $_GET and $_POST? Thanks
回答1:
- Google for and read relevant information such as this.
- Do not hash on the client. Pass the clear-text password to the server.
- Use POST to keep the password out of the URL (URLs have a nasty way of getting logged and otherwise exposed to people).
- I personally recommend to use HTTPS everywhere but the minimum is to use HTTPS for the login form and all pages that follow login.
- Store the password in the database using PHP's
password_hashfunction and verify it usingpassword_verify.
来源:https://stackoverflow.com/questions/30532831/how-to-securely-pass-data-from-php-forms-to-html