晕那里,
我有登录我的注册用户的问题,我已经哈希密码,当我登录我的表格拒绝时,所以我真的不知道这是什么问题,因为我直接用sql命令注册的用户实际上登录以下是我的登录脚本...
<?php
include 'db_connect.php';
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a php session.
if(isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if(login($email, $password, $mysqli) == true) {
// Login success
echo 'Success: You have been logged in!';
echo '<a href="javascript:window.close();">Close window</a>';
} else {
// Login failed
header('Location: ./login.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
以下是我在Function.php文件上的登录功能
function login($email, $password, $mysqli) {
if ($stmt = $mysqli->prepare(
"SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1"
)) {
$stmt->bind_param('s', $email);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
$password = hash('sha512', $password.$salt); // hash the password with the unique salt.
if($stmt->num_rows == 1) {
if(checkbrute($user_id, $mysqli) == true) {
return false;
} else {
if($db_password == $password) {
$ip_address = $_SERVER['REMOTE_ADDR'];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$ip_address.$user_browser);
// Login successful.
return true;
} else {
$now = time();
$mysqli->query(
"INSERT INTO login_attempts (user_id, time)
VALUES ('$user_id', '$now')"
);
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
以下是我如何将用户注册到数据库
<?php
include 'db_connect.php';
include 'functions.php';
$password = $_POST['p'];
$username = $_POST['username'];
$email = $_POST['email'];
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
$password = hash('sha512', $password.$random_salt);
if ($insert_stmt = $mysqli->prepare(
"INSERT INTO members (username,email,password,salt)
VALUES (?, ?, ?, ?)"
)) {
$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
// Execute the prepared query.
$insert_stmt->execute();
echo 'Member Succesfully added to the Website list';
} else {
echo 'Error couldnt add the user, Try again';
}
?>
答案 0 :(得分:1)
我猜你要么以某种方式改变了密码,当你注册时 - sha512($ password)和登录应该是相同的,以便在查询数据时匹配它--- $ Salt是一个有点困惑?
Login
$_POST['password'] = stripslashes($_POST['password']);
$password = mysql_real_escape_string(sha512($_POST['password']));
Signup
$_POST['password'] = stripslashes($_POST['password']);
$password = mysql_real_escape_string(sha512($_POST['password']));