如何通过文本文件而不是通过授权文件验证凭据?

How do I verify credentials through a text file instead of through the authorization file?

我有一个具有基本形式的 PHP 登录脚本,它指向这个文件,它是包含凭据的授权文件,但我希望这个文件检查文本文件以查找匹配的用户名和来自格式为 username:password 或类似格式的文本文件的密码。有人有什么想法吗?

<?php

if ( ! isset( $_POST['submitted'] ) )
header('Location: ' . $_SERVER['HTTP_REFERER']);

$credentials = [
   'username' => 'TESTUSER',
   'password' => 'TESTPASS'
];

if ( $credentials['username'] !== $_POST['username'] 
      OR $credentials['password'] !== $_POST['password'] )
{    
    header('Location: ' . $_SERVER['HTTP_REFERER']);
    exit();
}
session_start();
$_SESSION["000000"] = "1"; 
header('Location:' . 'index.php');
exit();

持久存储类型的选择由您决定,但您应该:

切勿 将密码存储为纯文本,在存储之前使用 password_hash()

然后,在登录时,使用 password_verify() 验证密码是否与存储介质(例如数据库/平面文件)中的哈希匹配。

示例:

<?php
echo password_hash("somepassword", PASSWORD_DEFAULT);

$hash = 'y$f.iC/tadtwSws25fW2zRg./.xlY.mRK82Ys9M4acbPU/b614vA1vy';

if (password_verify('somepassword', $hash)) {
    echo 'The password is valid!';
} else {
    echo 'The password is not valid';
}

你可以玩这个demo

更新: 平面文件 (.json) 用户存储/登录验证脚本的简单示例。您仍然需要对用户输入进行数据验证和清理,并确定平面文件存储是否是最佳解决方案/是否足以满足您的应用程序所需的安全级别。

有两个文件:

  1. index.php 应用程序-用户商店/登录验证
  2. users.json 平面文件数据库(用户凭据:namepassword

index.php呈现两种形式,第一种可用于添加用户到users.json,第二种用于登录验证。

index.php

<?php
function getForm(string $submitName, string $submitValue)
{
    $form = <<<HEREDOC
    <form method="POST">
    <label for="username">User Name : </label>
    <input type="text" name="username" id="username" required>
    <label for="password">Password : </label>
    <input type="text" name="password" id="password" required>
    <input type="submit" name="$submitName" value="$submitValue">
    </form>
HEREDOC;
    return $form;
}
// build forms
$userForm = getForm('submit_user', 'Add User');
$loginForm = getForm('submit_login', 'Login');

/* add a new user to flat file database */
echo $userForm;
if (isset($_POST['submit_user'])) {
    // retrieve user input - you still need to do data validation and sanitizing
    $userName = (isset($_POST['username'])) ? $_POST['username'] : null;
    $passWord = (isset($_POST['password'])) ? $_POST['password'] : null;
    $passWord = password_hash($passWord, PASSWORD_DEFAULT); // store a hash
    // get user.json file
    $file = "./users.json";
    $users = json_decode(file_get_contents($file), true);
    // insert new user credentials
    $users['users'][] = ['name' => $userName, 'password' => $passWord];
    // write  to flat file database
    file_put_contents($file, json_encode($users));
}
/* login - verify user credentials */
echo $loginForm;
if (isset($_POST['submit_login'])) {
    // retrieve user input - you still need to do data validation and sanitizing
    $userName = (isset($_POST['username'])) ? $_POST['username'] : null;
    $passWord = (isset($_POST['password'])) ? $_POST['password'] : null;

    // get user.json file
    $file = "./users.json";
    $users = json_decode(file_get_contents($file), true);

    // verify user
    foreach ($users['users'] as $key => $value) {
        if (strtolower($value['name']) === strtolower($userName)) {
            $hash = $value['password'];
            $verify = password_verify($passWord, $hash); // verify
            if ($verify === true) {
                echo 'User Login Validated';
            } else echo 'Login Not Valid';
        }
    }
}

平面文件用户数据库:users.json

{
  "users": [
    {
      "name": "Jack",
      "password": "y$FBLkEDGX3I6HAVgptJ6q1ujo5K6cFtZn2wNKXKUhoWGNtcwfsRlpi"
    },
    {
      "name": "Jill",
      "password": "y$yKp79.HujKW3yFvxPDYvqePcUJ9uLWJ92d5TpSy62YtuRTezWrsna"
    },
    {
      "name": "Annie",
      "password": "y$eWctVmNAadkf138J0iTVr.5u7vmRl9vcglAhSEjbp0WqQphKFjwYC"
    }
  ]
}