盐和哈希不匹配的麻烦

时间:2013-05-30 18:22:37

标签: php mysql

我一直在查看员工数据库,并创建了一个创建数据库条目的日志。其中包括一个日志表,所有密码和用户名都存储,为了安全起见,这是一个哈希和盐。这是一个很大的功能,所以我只包括几行。所有详细信息均由$ _POST。

提供
$query_new_user_insert = $this->db->query("INSERT INTO LOGIN (Unique_Id, user_name, user_salt, user_password,Permission) VALUES('".$this->Unique_Id."', '".$this->user_name."', '".$this->user_salt."', '".$this->user_password_hashed."','".$this->permissiontotal."')");
            $query_new_user_insert2 = $this->db->query("INSERT INTO USER (Unique_Id, collor, Title, EmployeeName,InternetAddress,Grade,team,shift, Directorate, Division, CostCenter,LineManager, Location) VALUES('".$this->Unique_Id."','".$this->collor."','".$this->Titl."','".$this->Employee."','".$this->Email."','".$this->Grade."','".$this->team."','".$this->shiftcode."','".$this->Directorate."','".$this->Division."','".$this->Cost."','".$this->manager."','".$this->Location."')");
            if($query_new_user_insert2)
            {
                $this->messages[] = "<p>The account was successfully created. " . $this->permissiontotal . "</p>" ;
            } else {
                $this->errors[] = "<p>Sorry, registration failed. Please try again.</p>";
            }

这有一个php函数,可以查找用户名和密码并让用户进入,以及记录失败的尝试等。这是完整的功能

private function loginWithPostData() {
$now  = time();
    if(isset($_POST["login"]) && !empty($_POST['user_name']) && !empty($_POST['user_password'])) {            
$this->user_name = $this->db->real_escape_string($_POST['user_name']);
        $checklogin = $this->db->query("SELECT user_name, Unique_Id, user_salt, user_password, Permission, Attempts, time FROM LOGIN WHERE user_name = '".$this->user_name."';");
        if($checklogin->num_rows == 1) {
            $result_row = $checklogin->fetch_object();
            if($result_row->Permission%2==0){
    // locked and time expired ?
    if ($result_row->time<$now){
        $sql_query_update =$this->db->query ("UPDATE LOGIN SET Attempts = 0, time = 0  WHERE LOGIN.user_name ='".$result_row->user_name."'");
                mysql_query( $sql_query_update );
        $accountreset = 1;
    }
            if($result_row->Attempts <5 || $accountreset ==1){
            if (hash("sha256", $_POST["user_password"].$result_row->user_salt) == $result_row->user_password) {
                $_SESSION['user_name'] = $result_row->user_name;
                $_SESSION['Unique_Id'] = $result_row->Unique_Id;
                $_SESSION['Permission']= $result_row->Permission;
                $_SESSION['user_logged_in'] = 1;
            $sql_query_update =$this->db->query ("UPDATE LOGIN SET Attempts = 0, time = 0  WHERE LOGIN.user_name ='".$this->user_name."'");
            mysql_query( $sql_query_update );
                 return true;
            } else {
    $sql_query_update =$this->db->query ("UPDATE LOGIN SET Attempts = Attempts+1,time =  UNIX_TIMESTAMP(now())+7200 WHERE LOGIN.user_name ='".$this->user_name."'");
            mysql_query( $sql_query_update );
              $this->errors[] = "The user name or password is incorrect";
                return false;
            }
        } else {
           $this->errors[]="blocked to many failed attempts.";
                    return false;
            }
        } else {
            $this->errors[]= "this account is suspended.";
                    return false;
            }
        } else {
            $this->errors[] = "The user name or password is incorrect";
                   return false;
           }
    } elseif (isset($_POST["login"]) && !empty($_POST['user_name']) && empty($_POST['user_password'])) {
        $this->errors[] = "Password field was empty.";
    }
}

这很好用,所以我添加了一个更改密码,遗憾的是我无法让它工作。这也是一个功能。我还没有完成这个,但它在第一个障碍时失败了。它写入数据库但不允许用户使用新密码登录。这也是完整的功能

private function change() {
    if(isset($_POST["change"]) && !empty($_POST['user_password']) && !empty($_POST['new_password']) && !empty($_POST['new_password2'])) {
        $this->user_ID = $this->db->real_escape_string($_POST['Unique_Id']);
        $this->new_password = $this->db->real_escape_string($_POST['new_password']);
        $this->new_password2 = $this->db->real_escape_string($_POST['new_password2']);

// add verification and check old password entered add fail!

        $this->user_salt = substr(str_shuffle('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), 0, 64);
        $this->user_password_hashed = hash("sha256", $this->user_password.$this->user_salt);
        $query_new_password_insert = 
        $this->db->query
        ("UPDATE LOGIN SET user_salt='".$this->user_salt."',
        user_password='".$this->user_password_hashed."' 
        WHERE LOGIN.Unique_Id='".$this->user_ID."'");
        if($query_new_password_insert) {
            $this->messages[] = $query_new_password_insert;//"<p>The password has been updated</p>";
        } else {
            $this->errors[] = "<p>Sorry, password update has failed. Please try again.</p>";
        }
    }
}

正常任何帮助表示赞赏。

0 个答案:

没有答案