我创建了一个注册和登录脚本,使用完全相同的方式使用salt来密码密码,但是当用户尝试使用他们的密码登录时,散列的登录密码和存储在数据库中的密码不同,它正在运行几天前,我没有更改登录和注册脚本中的任何内容。
以下是存储的凭据
DBEMAIL:jd@gmail.com
DBPASSWORD:
addb18f27b6970082727069aa5853116223c5ab46f46a7b07340757804670aef61311ff0254ec45ea78d9ea6d8afb2cefdf3afd6bd4947f6fc558f46703fac1c
以下是用户插入的凭据:
UEMAIL:jd@gmail.com
UPASSWORD:4123363f30664825356a238fe7a568910315e6f6aa8a57d0264844c641e856ab207200f4c75a532b2ebecdbd062bff31da101d973ab0f83eaefd2323a39a4a88
使用以下方法进行散列:
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
完整的注册功能(我知道它很乱,但它有效(直到现在):
function registerUser($firstname, $surname, $email, $password, $secretQ, $secretA, $address, $city, $postcode) {
$flag = array();
$validEmail = validateEmail($email);
if (($validEmail) == true) {
//Do not flag
} else {
array_push($flag, 1);
}
if ((textOnly("First name", $firstname) == true) || ((textOnly("Surname", $surname)) == true) || ((textOnly("City", $city)) == true)) {
array_push($flag, 1);
}
if ((emptyField($firstname)) || (emptyField($surname)) || (emptyField($email)) || (emptyField($password)) || (emptyField($secretA)) || (emptyField($address)) || (emptyField($city)) || (emptyField($postcode))) {
array_push($flag, 1);
}
if (validPostcode($postcode) == false) {
array_push($flag, 1);
}
if (duplicateEmail($email) == true) {
array_push($flag, 1);
}
if (validatePassword($password) == false) {
array_push($flag, 1);
} else {
$password = validatePassword($password);
}
switch ($secretQ) {
case 1:
$secretQ = "Your mothers maiden name?";
break;
case 2:
$secretQ = "Name of your first pet?";
break;
case 3:
$secretQ = "The name of your high school?";
break;
case 4:
$secretQ = "Your favourite instrument?";
break;
}
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
if (!empty($flag)) {
echo "There are errors with your registration, go back and ammend it. <br /> <a href=\"register.php\"><< Back</a>";
} else {
if ((isset($firstname)) && (isset($surname)) && (isset($email)) && (isset($password)) && (isset($secretQ)) && (isset($secretA)) && (isset($address)) && (isset($city)) && (isset($postcode))) {
$sql = "INSERT INTO customer (forename, surname, email, password, secretQ, secretA, address_street, address_city, address_postcode, member_type) VALUES ('$firstname', '$surname', '$email', '$hashed', '$secretQ', '$secretA', '$address', '$city', '$postcode', 'User');";
header("Location: index.php");
} else {
array_push($flag, 1);
}
}
$result = mysql_query($sql);
if (!$result) {
die(mysql_error());
}
}
登录功能:
function loginUser($email, $password) {
if (validateEmail($email) == true) {
$sql = "SELECT customerid, forename, email, password, secretA, member_type FROM customer WHERE email = '$email'";
$result = mysql_query($sql);
while ($record = mysql_fetch_array($result)) {
$DBid = $record['customerid'];
$DBemail = $record['email'];
$DBpassword = $record['password'];
$DBforename = $record['forename'];
$DBsecretA = $record['secretA'];
$DBmember = $record['member_type'];
}
if (!$result) {
die(mysql_error());
}
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
echo "DBEMAIL: $DBemail DBPASSWORD: $DBpassword <br/>";
echo "UEMAIL: $email UPASSWORD: $hashed <br/>";
if (($email == $DBemail) && ($hashed == $DBpassword)) {
$match = true;
} else {
$match = false;
}
if ($match == true) {
session_start();
$_SESSION['userid'] = $DBid;
$_SESSION['Active'] = true;
$_SESSION['forename'] = $DBforename;
$_SESSION['type'] = $DBmember;
header("Location: member.php");
} else {
echo "Incorrect credentials.";
}
} else {
echo "Invalid email address!";
}
return true;
}
答案 0 :(得分:1)
在registerUser中,我仔细看看:
...
if (validatePassword($password) == false) {
array_push($flag, 1);
} else {
$password = validatePassword($password);
}
...
$password将被覆盖。如果数据库中的所有密码都相同,则可能是将$ password设置为true,并且该密码值已被腌制。根据您使用validatePassword的方式,您可以删除else子句,只留下:
...
if (validatePassword($password) == false) {
array_push($flag, 1);
}
...