哈希密码
//crypt password require_once('include/blowfish.php'); $bcrypt = new Bcrypt(4); $hash = $bcrypt->hash($pass1); echo $hash; //Insert all the members's input to the database**************// $query = mysql_query("INSERT INTO members(user_name, first_name, last_name, governorate, district, village, birth_date, email_address, specialization, password, registered_date ) VALUES('$username', '$firstname', '$lastname', '$governorate', '$district', '$village', '$bdate', '$email', '$specialization', '$hash', now())") or die(mysql_error());
login.php

Question

我有一个注册表单，允许用户输入密码，我使用crypt

散列此密码

在注册表单中，它可以工作，密码在数据库中经过哈希处理并且是安全的，但是当它登录时，密码不匹配，系统也不会登录

任何人都可以帮助我???

register.php 中的

哈希密码

//crypt password
      require_once('include/blowfish.php'); 

      $bcrypt = new Bcrypt(4);
      $hash = $bcrypt->hash($pass1);
      echo $hash;


//************Insert all the members's input to the database**************************//
$query = mysql_query("INSERT INTO members(user_name, first_name, last_name, 
governorate, district, village, birth_date, email_address, specialization,
password, registered_date )

VALUES('$username', '$firstname', '$lastname', '$governorate', '$district', 
'$village', '$bdate', '$email', '$specialization', '$hash', now())")

or die(mysql_error());

login.php

中的

哈希密码

$sql=mysql_query( "SELECT user_id, email_address, first_name, user_name 
FROM members 
WHERE email_address='$email'AND password= '$pass' 
LIMIT 1") or die("error in members table");
$login_check = mysql_num_rows($sql);

  if($login_check > 0)
  {
      $row = mysql_fetch_array($sql);
      $row_pass = $row['password'];
      //***********for hashing password***************************//
require_once('include/blowfish.php');
 $bcrypt = new Bcrypt(4);
 if($bcrypt->verify($pass, $row_pass))
  {

          $id = $row['user_id'];
          $_SESSION['user_id'] = $id;

          $firstname = $row['first_name'];
          $_SESSION['first_name']= $firstname;

          $email = $row['email_address'];
          $_SESSION['email_address']= $email;

          $username = $row['user_name'];
          $_SESSION['user_name']= $username;


          mysql_query("UPDATE members SET last_log_date=now() 
WHERE user_id='$id'");

        //$message = "correct email and passworddd!!";  
          header("Location: profile.php");
         // exit();   
  }//close if 
 }//close if 
  else
  {
      $message = "incorrect Email or Password!!";
      //exit();
  }

Answer 1

它不起作用，因为在1-st片段中，您将$ hash保存到members.password中。

在第二个片段中，您从输入中检查真实密码。您需要先将其修改为哈希：

$bcrypt = new Bcrypt(4);
$hash = $bcrypt->hash($pass);

$query = sprintf("SELECT user_id, email_address, first_name, user_name 
FROM members
WHERE email_address='%s'AND password= '%s'",
        mysql_real_escape_string($email),
        mysql_real_escape_string(hash));

$sql=mysql_query( $query) or die("error in members table");

$login_check = mysql_num_rows($sql);

if($login_check > 0)
{
    ...

此外，您的代码易受SQL注入攻击，并使用弃用的mysql_ *函数。

注册和登录中的哈希密码不匹配

1 个答案: