如何创建随机生成的盐?

时间:2014-03-26 21:46:24

标签: php mysql security pdo prepare

我非常想知道如何在以下代码中添加随机盐,我一直在寻找互联网,但我还没想到它,至少不是“PDO方式”(如果它甚至有所作为)?

无论如何,我有这段代码:

的login.php:

<html>
    <head>

        <link type="text/css" rel="stylesheet" href="css/style.css" />
    </head>
<body>

<div id="loginForm">

    <?php
    // form is submitted, check if acess will be granted
    if($_POST){

        try{
            // load database connection and password hasher library
            require 'libs/DbConnect.php';
            require 'libs/PasswordHash.php';

            // prepare query
            $query = "select email, password from users where email = ? limit 0,1";
            $stmt = $con->prepare( $query );

            // this will represent the first question mark
            $stmt->bindParam(1, $_POST['email']);

            // execute our query
            $stmt->execute();

            // count the rows returned
            $num = $stmt->rowCount();

            if($num==1){

                //store retrieved row to a 'row' variable
                $row = $stmt->fetch(PDO::FETCH_ASSOC);

                // hashed password saved in the database
                $storedPassword = $row['password'];

                // salt and entered password by the user
                $salt = "whatever";
                $postedPassword = $_POST['password'];
                $saltedPostedPassword = $salt . $postedPassword;

                // instantiate PasswordHash to check if it is a valid password
                $hasher = new PasswordHash(8,false);
                $check = $hasher->CheckPassword($saltedPostedPassword, $storedPassword);

                /*
                 * access granted, for the next steps,
                 * you may use my php login script with php sessions tutorial :)
                 */
                if($check){
                    echo "<div>Access granted.</div>";
                }

                // $check variable is false, access denied.
                else{
                    echo "<div>Access denied. <a href='login.php'>Back.</a></div>";
                }

            }

            // no rows returned, access denied
            else{
                echo "<div>Access denied. <a href='login.php'>Back.</a></div>";
            }

        }
        //to handle error
        catch(PDOException $exception){
            echo "Error: " . $exception->getMessage();
        }


    }

    // show the registration form
    else{
    ?>

    <!-- 
        -where the user will enter his email and password
        -required during login
        -we are using HTML5 'email' type, 'required' keyword for a some validation, and a 'placeholder' for better UI
    -->
    <form action="login.php" method="post">

        <div id="formHeader">Website Login</div>

        <div id="formBody">
            <div class="formField">
                <input type="email" name="email" required placeholder="Email" />
            </div>

            <div class="formField">
                <input type="password" name="password" required placeholder="Password" />
            </div>

            <div>
                <input type="submit" value="Login" class="customButton" />
            </div>
        </div>
        <div id='userNotes'>
            New here? <a href='register.php'>Register for free</a>
        </div>
    </form>

    <?php
    }
    ?>

</div>

</body>
</html>

register.php 

<html>
    <head>
        <link type="text/css" rel="stylesheet" href="css/style.css" />
    </head>
<body>

<div id="loginForm">

    <?php
    // save the username and password
    if($_POST){

        try{
            // load database connection and password hasher library
            require 'libs/DbConnect.php';
            require 'libs/PasswordHash.php';

            /* 
             * -prepare password to be saved
             * -concatinate the salt and entered password 
             */

            $salt="whatever";
            $password = $salt . $_POST['password'];

            /* 
             * '8' - base-2 logarithm of the iteration count used for password stretching
             * 'false' - do we require the hashes to be portable to older systems (less secure)?
             */
            $hasher = new PasswordHash(8,false);
            $password = $hasher->HashPassword($password);

            // insert command
            $query = "INSERT INTO users SET email = ?, password = ?";

            $stmt = $con->prepare($query);

            $stmt->bindParam(1, $_POST['email']);
            $stmt->bindParam(2, $password);

            // execute the query
            if($stmt->execute()){
                echo "<div>Successful registration.</div>";
            }else{
                echo "<div>Unable to register. <a href='register.php'>Please try again.</a></div>";
            }

        }

        //to handle error
        catch(PDOException $exception){
            echo "Error: " . $exception->getMessage();
        }
    }

    // show the registration form
    else{
    ?>

    <!-- 
        -where the user will enter his email and password
        -required during registration
        -we are using HTML5 'email' type, 'required' keyword for a some validation, and a 'placeholder' for better UI
    -->
    <form action="register.php" method="post">

        <div id="formHeader">Registration Form</div>

        <div id="formBody">
            <div class="formField">
                <input type="email" name="email" required placeholder="Email" />
            </div>

            <div class="formField">
                <input type="password" name="password" required placeholder="Password" />
            </div>

            <div>
                <input type="submit" value="Register" class="customButton" />
            </div>
            <div id='userNotes'>
                Already have an account? <a href='login.php'>Login</a>
            </div>
        </div>

    </form>

    <?php
    }
    ?>

</div>

</body>
</html>

现在,如何创建随机生成的盐?

1 个答案:

答案 0 :(得分:2)

使用password_hash(自PHP 5.5起)。它会照顾你的一切。

旧的PHP版本有compatibility wrapper

相关问题
最新问题