自从我第一次开始学习哈希和盐渍密码以来,我的代码遇到了很多麻烦。首先,我学习如何使用MD5“哈希”密码(是的,不要再这样做了),然后使用哈希和SHA256,最后使用bcrypt(或者至少我认为它是bcrypt)。这是我现在的注册码:
register.php
<html>
<head>
<title>PDO - hashing algorithm</title>
</head>
<body>
<?php
if(isset($_POST['submit'])) {
define( "DB_DSN", "mysql:host=localhost;dbname=test" );
define ( "DB_USER", "root" );
define ( "DB_PASS", "" );
try {
$connect = new PDO (DB_DSN, DB_USER, DB_PASS);
$query = "CREATE TABLE IF NOT EXISTS `users` (
`id` INT(11) PRIMARY KEY AUTO_INCREMENT NOT NULL,
`username` VARCHAR(100) NOT NULL,
`password` VARCHAR(500) NOT NULL
)ENGINE=InnoDB DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_swedish_ci;";
$stmt = $connect->prepare($query);
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
}
// Let's hash the password
$salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
$hashedpassword = crypt($_POST['password']. '$2a$12$' .$salt);
try {
$query = "INSERT INTO `users` (`username`, `password`) VALUES (:username, :password)";
$stmt = $connect->prepare($query);
$stmt->execute(array(
':username' => $_POST['username'],
':password' => $hashedpassword
));
if ($stmt->rowCount() == 1) {
echo "Well done, user has registered successfully";
} else {
echo "An error occured.. Please try again";
}
} catch (PDOException $e) {
echo $e->getMessage();
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Username: <input type="text" name="username"/></p>
<p>Password: <input type="password" name="password" /></p>
<input type="submit" name="submit" />
</form>
</body>
</html>
此代码确实有效并将加密密码,因此这不是我的主要问题。我的主要问题是,当我想创建登录页面时,如何比较用户输入的密码和db中存储的密码?
这是我的login.php atm。告诉我,如果你看到我没有看到的东西,但我无法使其工作,它将不会从数据库输出用户名和密码。
<?php
try {
define( "DB_DSN", "mysql:host=localhost;dbname=test" );
define ( "DB_USER", "root" );
define ( "DB_PASS", "" );
$connect = new PDO (DB_DSN, DB_USER, DB_PASS);
} catch (PDOException $e) {
echo $e->getMessage();
}
if(isset($_POST['submit'])) {
$query = "SELECT * FROM `users` WHERE (username) = :username";
$stmt = $connect->prepare($query);
$stmt->execute(array(
':username' => $_POST['username']
));
if($stmt->rowCount() == 0) {
echo "User doesn't exist";
}
$row = $stmt->fetch();
if (crypt($_POST['password'], $row['password']) == $row['password']) {
echo $row['username']. $row['password'];
} else {
return false;
}
}
?>
答案 0 :(得分:1)
请参阅此链接以获取有关如何操作的教程:Using bcrypt to store passwords
编辑:
我发现了一些我在这里发布的工作代码,希望能给予帮助。
首先,我使用自定义函数:
function better_crypt($input, $rounds = 7){
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0; $i < 22; $i++) {
$salt .= $salt_chars[array_rand($salt_chars)];
}
return crypt($input, sprintf('$2a$%02d$', $rounds) . $salt);
}
然后,在首次创建帐户时,将$ password_hash存储在数据库中:
$password_hash = better_crypt($_POST['password']);
然后登录时,将提交的密码与数据库中的密码哈希进行比较:
// $password = submitted login form password
// $row['password'] = the password hash in the database
if(crypt($password, $row['password']) == $row['password']) {
//Success!