我在用户注册时生成一个哈希密码,但在尝试登录哈希密码时,生成是不同的,所以我无法登录
reg :(一旦我获得散列密码,我就会添加检查和验证)
session_start();
require_once('connect.php');
$login = $_POST['login'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
if($login == '') {
echo "Email missing";
}
if($password == '') {
echo "Password missing";
}
if($cpassword == '') {
echo "Password missing";
}
if( strcmp($password, $cpassword) != 0 ) {
echo "Passwords do not match";
}
$stmt = $db->prepare("INSERT INTO members (Email, Password) VALUES (:login, :password)");
$stmt->bindValue( ":login", $login );
$stmt->bindValue( ":password", hash("sha512", $password, $salt));
$stmt->execute();
if ($stmt)
{
header("location: ?p=register-success");
exit();
}
登录:
session_start();
include_once ('connect.php');
$Email = $_POST['Email'];
$Password = $_POST['Password'];
$stmt = $db->prepare("SELECT * FROM members WHERE Email = :Email AND Password = :Password");
$stmt->bindParam(":Email", $Email);
$stmt->bindParam(":Password", hash("sha512", $Password, $salt));
$stmt->execute();
$member = $stmt->fetch(PDO::FETCH_ASSOC);
if ($member)
{
$_SESSION['SESS_MEMBER_ID'] = $member['Member_ID'];
$_SESSION['SESS_POST_AS'] = $member['Post_As'];
$_SESSION['SESS_AUTH'] = $member['auth'];
session_write_close();
header('location: index.php');
} else {
header("location: ?p=login-failed");
}
我的盐:(一组固定的字符仅供测试)
$salt = "Zo4rU5Z1YyKJAASY0PT6EUg7BBYdlEhPaNLuxAwU8lqu1ElzHv0Ri7EM6irpx5w";
我通过在相关注释中提交哈希密码之前检查它们是否相同,一旦哈希密码存储在我的表中,它与注册表中提供的密码不同? ?代替一些特殊字符
答案 0 :(得分:1)
hash的第三个参数确定散列的输出是否是原始的,即未编码为十六进制。你的盐是真的,所以输出是原始的,你的数据库正试图将它编码为字符串。
您可能打算使用hash_hmac。但无论如何切换到Bcrypt;固定盐没有用。
答案 1 :(得分:0)
这是散列函数的原型
string hash ( string $algo , string $data [, bool $raw_output = false ] )
所以你需要做这样的事情:
$saltedPwd = $password . $salt;
$hashedSaltedPwd = hash("sha512", $saltedPwd);
$stmt = $db->prepare("INSERT INTO members (Email, Password) VALUES (:login, :password)");
$stmt->bindValue( ":login", $login );
$stmt->bindValue( ":password", $hashedSaltedPwd);
$stmt->execute();
然后对您的登录页面进行类似的更改。