File encryption procedures are already widely used on the site, which means using a database to store passwords and usernames. The details are as follows:
1. Introduction
Although in general, your website is often so simple that it does not require the use of a database at all; there are some cases where your site may want to restrict access to certain pages. Typically, this means using a database to store passwords and usernames. However, you have an easier method - although it's a little less secure, it involves minimal coding.
If you use a database in your web application, you already have the ability to store passwords and usernames somewhere and have a way to authenticate visitors. But what happens when using a database isn't warranted due to the security or complexity of your site? There may be times when you only want specific people to have access to certain pages or areas of your site. A very simple way to do this is to use a text file that stores the password and create a page that prompts the visitor to enter the password; if the password matches what is stored in the text file, then the user is allowed to access the subject. restricted page; otherwise, display an appropriate message to disable access before starting to refresh the page.
For further security, you can also use hashing to encrypt the password stored in the text file so that if its contents are somehow discovered, it will be difficult to find out. All of these can be built using PHP methods and require minimal coding.
Before you officially start, you need to set up an environment to test and use PHP; therefore, you first need to install and configure a web server for PHP. Since Apache works well with PHP and is easy to install and configure, I recommend this option.
Next, you need to create a page (similar to the image below) - it has a text box to receive the password from the visitor, and a submit button to send it to your PHP file. This can be either a new page or part of an existing page on your site. A simple code block like the following should suffice:
<form name="passwordForm" method="post" action="restricted.php"> <p>Password: <input type="password" name="password"> <input type="submit" name="Submit" value="Login"> </p> </form>
2. Create PHP homepage
Next, you need to create the PHP homepage that does the actual work. Open a blank page in a text editor, then open a PHP block in the standard way:
As I mentioned before, PHP has a standard set of functions and methods for file operations. Among them, the most important ones are fopen(), fread() and fclose() functions. In order to perform some kind of file operation, we need to open it first, and obviously, this is achieved using the fopen() function; moreover, we must specify how to operate the file; reading files, reading files is the most common task, but there are other Extra flags can be used to tell the program whether to place the file pointer at the beginning or end of the file, and whether to create the file if it does not exist yet. However, in this case, all we need to do is open the text file containing the password and read it.
Then, first create a variable to the specified text file path:
$fileloc = "/apachesite/docs/pass.txt"
Next, create a variable to hold the file pointer:
$filetoread = fopen($fileloc, "r") or die("Could not open password file");
You can also use the die method to end the script and an appropriate message will be printed on the screen if the operation fails for some reason. Once the file is open, you need to read its contents in order to compare it with what was entered in the form of a password:
$storedpass = fread($filetoread, filesize($fileloc)) or die ("Could not read stored password");
You should set a variable to store the data in the file and call the fread() method (it has two parameters: file pointer and file length). You may (or may not) know the length of your password. To make future programming easier (when the password needs to be changed), you can use the filesize() method to get the file length. Once the file is no longer needed, close it immediately:
fclose($filetoread);
3. Use password
In order to use the password entered into the HTML form, you need to get it and store it in a variable. When we use the POST method to send user input to a PHP script, we can use $_POST to obtain the entered password:
$password = $_POST["password"];
We can then simply compare the entered password with the stored password and take action accordingly:
if (empty ($password)){ die ("No password entered"); } elseif ($password != $storedpass){ die ("Password Incorrect"); } else{ Header("Location: securepage.htm") }
第一个if语句处理一个空的$password变量以防止当输入框为空时,submit按钮被点击。如果用户输入的口令与存储的那个不匹配,那么第二个语句执行括号内的代码并且输出一条消息显示口令是错误的。最后,如果前两个条件都不满足,那么,该脚本认为口令一定是正确的并且把一个重定向头(header)发送到浏览器以打开示例中的HTML页面。
在此能够工作之前,你需要创建一个文本文件并且把它放到与该PHP文件相同的目录下。它需要包含你目前想要使用的以普通文本形式存储的口令,并且应该引用该PHP文件名。保存所有这些文件,然后在一个浏览器中打开该HTML页面,并用该表单进行试验。该页面应该如所设想的那样工作。
当你输入正确的口令时,如果你得到一个错误消息,其内容是:
"Warning: Cannot modify header information - headers already sent by (thepathtoyourphpfile)"
这意味着,你需要把位于你的Windows目录下的php.ini文件中的output-buffering设置为"on"。
四、 加密
现在,我们开始分析在前面提到的加密问题。PHP具有一些内置的MD5方法。这样以来,在把访问者输入的口令与存储的口令进行比较之前,我们可以很容易地使用这些函数来转换它。
MD5是一种单向哈希算法,这意味着口令可以仅用一种方向进行加密-从普通文本到加密文本,而以另外一种方向是不可能的。然而,这并不是就能使得它不可破解。这种加密容易被以暴力方式或者通过字典攻击加以破解,但是它仍然还是比较安全的。你可以把下列一行添加到$password变量的声明语句之后:
$md5password = (md5($password));
这样可以把一个输入到该文本框中的内容的加密版本保存到变量$md5password中。现在,你需要修改你的if语句,以便它把存储的口令与新的加密的口令加以比较:
if (empty ($password)) { die ("No password entered"); } elseif ($md5password != $storedpass) { die ("Password Incorrect"); } else { header("Location: securepage.htm"); }
如你所见,我们仅改变了语句的elseif部分中的变量。这是因为即使是一个空的输入变量也被哈希化为一个32位值,因此$md5variable永远不可能为空,-即使在把任何文本输入到输入域之前点击submit按钮。
现在,所有你需要做的就是,找到你想存储在文本文件pass.txt中的该口令的哈希值。为此,你可以注释掉整个的if语句并且再加上一个echo语句以把加密的口令显示在屏幕上。然后,你还可以复制加密串并且把它保存到口令文件中。然而,你必须记住,在使用该脚本之前,取消注释if语句并且删除echo调用。
就本文所讨论的方法而言,上面的脚本框架所提供的已经足够了。另外,本文所讨论的测试文件,尽管非常基本,但是该HTML页面能够被容易地加入到一个现有的页面中去;你可以把它粘贴到一个窗口中去并整理它的样式以匹配你的主页的其余部分,并且你可能包含一个定时函数-它在把访问者重新定向到一个安全的页面前等待一段固定的时间,同时显示一条消息指示口令正确。你还可以包含一个类似的函数集来重载初始页面。
总之,你可以使用本文所提供的脚本来限制到你的站点结构中的特定页面的存取。尽管该方法并没有提供一个数据库所提供的安全的用户名/口令认证方法,并且它意味着你必须把口令发给想存取安全页面的任何人,但是它的确耗费非常少的时间和编码提供了一种简单的安全层。
感谢阅读,希望能帮助到大家,谢谢大家对本站的支持!