Question

我用来验证的内容

// username and password sent from form 
$myusername= filter_var($_POST['myusername'], FILTER_SANITIZE_STRING); 
$mypassword= filter_var($_POST['mypassword'], FILTER_SANITIZE_STRING); 

$sql = $dbh->prepare("SELECT * FROM $tblname WHERE UserLogin='$myusername'");
$sql->execute();
$sql = $sql->fetch();

$password_hash = $sql['UserPass'];

/*** close the database connection ***/
$dbh = null;

if(crypt($mypassword, $password_hash) == $password_hash){

我用来创建密码

$salt = blowfishSalt();
$mypassword = crypt($mypassword, $salt);

$stmt = $dbh->prepare('INSERT INTO Users(UserLogin, UserPass, UserEmail, admin) VALUES(:UserLogin, :UserPass, :UserEmail, :admin)');
$stmt->execute(array(
    ':UserLogin' => $myusername,
    ':UserPass'  => $mypassword,
    ':UserEmail' => $myemail,
    ':admin'     => $admin
));

blowfishSalt（）

function blowfishSalt($cost = 13) {
    if (!is_numeric($cost) || $cost < 4 || $cost > 31) {
        throw new Exception("cost parameter must be between 4 and 31");
    }
    $rand = array();
    for ($i = 0; $i < 8; $i += 1) {
        $rand[] = pack('S', mt_rand(0, 0xffff));
    }
    $rand[] = substr(microtime(), 2, 6);
    $rand = sha1(implode('', $rand), true);
    $salt = '$2a$' . sprintf('%02d', $cost) . '$';
    $salt .= strtr(substr(base64_encode($rand), 0, 22), array('+' => '.'));
    return $salt;
}

必须删除{} for function才能在stackoverflow中正确格式化。我还使用char（128）将密码存储在mysql数据库中。

Answer 1

您在验证码中有此信息：

crypt($mypassword, $password_hash)

这是创作代码：

$mypassword = crypt($mypassword, $salt);

当然这些都应该使用$ mypassword和$ salt？

无法验证密码密码

1 个答案: