Codeigniter: How can i encrypt password before sub

2019-02-02 18:04发布

问题:

I have a simple html login form

<form method="post" action="http://www.example.com/login">
    <input type="text" name="text_box" />
    <input type="password" name="pass_word" />
    <input type="submit" name="submit">
</form>

when I submit the form and in the controller

public function login(){
    $pass_word = $this->input->post('pass_word');
    die($pass_word);
}

The problem here, it shows the plain password, if I type 123456 in controller , I get 123456.

  1. Is this a security issue?
  2. Can any one get my password through a network monitoring tool like wireshark?

how to avoid this? Can I encrypt the password in view , before send to the controller? Please help , thanks in advance.

回答1:

If your post data (password etc.) was intercepted, then it would just be visible as plaintext. Using SSL/HTTPS will provide encryption for the data that you send. I wouldn't rely on client-side JavaScript or anything similar for the purposes for authenticating / logging in a user. It's likely to give your users more confidence too, seeing that a secure connection is being used.

First, I'd just read up about SSL and HTTPS in general, as well as SSL certificates - Wiki, Google and SO would all be be good places to look, there's loads of information out there.

For using SSL/HTTPS with CI, I found these useful:

  • http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/
  • http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/
  • How can I have CodeIgniter load specific pages using SSL?

In particular the force ssl function from Nigel's post:

Create a file in application/helper called ssl_helper.php

if (!function_exists('force_ssl'))
{
    function force_ssl()
    {
        $CI =& get_instance();
        $CI->config->config['base_url'] =
                 str_replace('http://', 'https://',
                 $CI->config->config['base_url']);
        if ($_SERVER['SERVER_PORT'] != 443)
        {
            redirect($CI->uri->uri_string());
        }
    }
}

function remove_ssl()
{
    $CI =& get_instance();
    $CI->config->config['base_url'] =
                  str_replace('https://', 'http://',
                  $CI->config->config['base_url']);
    if ($_SERVER['SERVER_PORT'] != 80)
    {
        redirect($CI->uri->uri_string());
    }
}

Load the helper, then in the constructor for any controller that requires ssl, simply insert:

force_ssl();

In every controller that you don’t want to have ssl put:

if (function_exists('force_ssl')) remove_ssl();

This is a programmatic approach, another way would be to use .htaccess (if you're using Apache).



回答2:

Yes, it's definitely a security issue. Like you say, anyone with Wireshark (or similar) has the potential to intercept it.

This probably isn't something you want to rely on JavaScript for. Generally you'd use something like SSL/HTTPS, there's a blog post (a little old) detailing how to go about it with CodeIgniter, however it's pretty common so you might be able to find a more recent tutorial with a bit of Googling.

http://sajjadhossain.com/2008/10/27/ssl-https-urls-and-codeigniter/ http://nigel.mcbryde.com.au/2009/03/working-with-ssl-in-codeigniter/.

UPDATE: Lefter's answer provides more detail and is correct, please view it as well/instead



回答3:

$password = sha1($this->input->post('password'));

or 

$hash= $this->input->post('password');

$password= $this->encrypt->sha1($hash);

you can use md5 instead of sha1 but sha1 is more secure then md5... and both md5 & sha1 are non-decodable



回答4:

Go through http://codeigniter.com/user_guide/libraries/encryption.html . Everything about the encryption and decryption is described here.

Performs the data encryption and returns it as a string. Example:

$pass_word = $this->encrypt->encode(input->post('pass_word'));  

Decrypts an encoded string. Example:

$encrypted_pass_word = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84';

$plaintext_pass_word = $this->encrypt->decode($encrypted_pass_word);

You can optionally pass your encryption key via the second parameter if you don't want to use the one in your config file. Go through the link to read the detail explanation about it.



回答5:

There is a more easy way to user https.

I put following lines in ./application/config/config.php file and it works perfectly:

$protocol = ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ) ? 'https' : 'http';
$config['base_url'] = $protocol.'://www.yoursite.com';


回答6:

Use md5(string) for encryption which is very secure for codeigniter website. For password encryption user this code when form submit.

password=md5($this->input->post('password'));