在MySQL数据库中存储无法访问的用户

I have a website for which some areas/functions are available only to authenticated users. Some users existed before the website did, and currently have active subscriptions. Thus, their information exists (necessarily) in the database, but those accounts should not be accessible by anyone -- even the user to whom they belong -- until they verify their information, receive a link via email with hashed parameters, and set their password.

我有一个网站，某些区域/功能仅供经过身份验证的用户使用。有些用户在网站出现之前就存在了，目前有活跃的订阅。因此，他们的信息（必然）存在于数据库中，但这些帐户不应该被任何人访问 - 甚至是他们所属的用户 - 直到他们验证他们的信息，通过带有散列参数的电子邮件接收链接，并设置他们的密码。

So: I want to store these users in the Users table, but I don't want them to be able to sign in to the website just yet.

所以：我想将这些用户存储在Users表中，但我不希望他们能够立即登录该网站。

Currently, my database is set up like this:

目前，我的数据库设置如下：

Table: Users

    email   |     password     |      salt
------------+------------------+----------------
    User1   |                  |                 // password and salt are
    User2   |                  |                 // empty strings, not NULL
    User3   | md5(pass + salt) | rand(10-digits)
    User4   | md5(pass + salt) | rand(10-digits)


Table: Non-Registered Users

    email   |     identify1    |    identify2
------------+------------------+----------------
    User1   |     secret1a     |    secret1b
    User2   |     secret2a     |    secret2b

And my accessControl.php, with some pseudo code for brevity:

还有我的accessControl.php，带有一些伪代码以简洁：

<?php

session_start();
if(isset($_POST['email']) && isset($_POST['password']) {
    $sql1 = "SELECT salt FROM Users WHERE email = :email";
    .... // prepare and execute
    if (!empty($result1)) {
        $hash = sha2($password.$result1['salt'],256);
        $sql2 = "SELECT * FROM Users WHERE password = :hash AND email = :email";
        .... // prepare and execute
        if(!empty($result2)) {
            $_SESSION['email'] = $_POST['email'];
            $_SESSION['password'] = $_POST['password'];
        }
    }
} elseif(isset($_SESSION['email'] && isset($_SESSION['password'])) {
    // do pretty much the same check as above
} else {
    // force login
}

?>

So, my question is: Is it possible for a non-registered user to log in without setting their password first? It's not possible to match a blank field with a SHA256 of anything, right?? I'm concerned that I'm overlooking something obvious.

所以，我的问题是：非注册用户是否可以在不先设置密码的情况下登录？不可能将空白字段与任何东西的SHA256匹配，对吧？我担心我会忽略一些显而易见的事情。

Please and thank you!! :3

谢谢，麻烦您了！！：3

1 个解决方案

#1

The SHA256 will always have 256 bits so it will never match an empty string. That being said, your pseudo code does not fully describe how you are validating the user input, so you could still be susceptible to a SQL injection attack.

SHA256将始终具有256位，因此它永远不会匹配空字符串。话虽这么说，你的伪代码并没有完全描述你如何验证用户输入，所以你仍然可能容易受到SQL注入攻击。

1 个解决方案

#1

更多相关文章

随机推荐