我正在关注本网站http://www.gregboggs.com/php-blowfish-random-salted-passwords/中的指南,但出于某种原因,在检查密码是否相同时,它会失败。
html很简单,2表示一个用于创建帐户,然后一个用于检查。代码可以在这里看到http://jsfiddle.net/Xf2Tc/
作为输出我得到: salt =数据库中的salt 数据库中的密码:$ 2a $ 05 $ BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4 / EtmnJ7Fz2CkoVha 但重新加密的密码总是非常小。 BcPgSBqZz80dw
我必须使用错误的盐或其他东西。
如果someoen可以编辑为更有条理,我会很感激。
<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
$hostname="exampleHost";
$database="exampleDB";
$username="exampleUsername";
$password="examplePassword";
if(isset($_POST['Upassword'])&&isset($_POST['account'])&&!empty($_POST['Upassword'])&&!empty($_POST['account'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$Upassword = mysql_real_escape_string($_POST['Upassword']);
$account = mysql_real_escape_string($_POST['account']);
//This string tells crypt to use blowfish for 5 rounds.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
// 18 would be secure as well.
$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
$salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($Upassword, $bcrypt_salt);
$stmt = $pdo->prepare("INSERT INTO users (reg_date, account, salt, password) VALUES (:mysql_date, :account, :salt, :hashed_password)");
$stmt->bindParam(':mysql_date', $mysql_date, PDO::PARAM_STR);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->bindParam(':account', $_POST['account'], PDO::PARAM_STR);
$stmt->bindParam(':hashed_password', $hashed_password, PDO::PARAM_STR);
$stmt->execute();
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
/*
* to test for correct encryption
*
*/
if(isset($_POST['Upassword2'])&&isset($_POST['account2'])&&!empty($_POST['Upassword2'])&&!empty($_POST['account2'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$stmt = $pdo->prepare("SELECT salt, password FROM users WHERE account=:account");
$stmt->bindParam(':account', $_POST['account2'], PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$Upassword2 = mysql_real_escape_string($_POST['Upassword2']);
echo $row['salt'];
$bcrypt_salt = $Blowfish_Pre . $row['salt'] . $Blowfish_End;
$hashed_password = crypt($Upassword2, $bcrypt_salt);
echo "PassDB: " . $row['password'];
echo '-------------------------------------------';
echo "result: " . $hashed_password;
echo '-------------------------------------------';
if ($hashed_password == $row['password']) {
echo 'Password verified!';
}
echo 'i am here';
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
?>
答案 0 :(得分:1)
如您所见,我将我的代码分成2个if语句,这意味着在检查正确的密码时我的Blowfish_Pre和$ Blowfish_End没有被设置。
解决方案是在if语句之前设置这些变量,或者使用两次设置它们。
希望它有所帮助。