根据存储的sha1密码检查sha1

Question

我使用sha1对密码进行散列并将其成功存储在数据库中，但是我似乎无法正确检查sha1是否与数据库中的一个匹配。我已尝试过以下代码的多次不同迭代，但似乎没有任何效果 - 我缺少什么？

注册

<?php 

$username = $_POST['username'];

$password = $_POST['password'];
$passwordEncrypted = sha1($password);

try {   

    $result = $db->prepare("INSERT INTO 
                            user_info 
                            SET 
                            username = :user,
                            pass = :pass
                            ");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $passwordEncrypted);
    $result->execute();
}

catch (Exception $e) {
    echo "Could not create username";
}

if (isset($_POST['submit'])) { 
    foreach ($_POST as $field) {
        if (empty($field)) {
            $fail = true;
        }
        else {
            $continue = false;
        }
    }
    if ($field == $fail) {
        echo "You must enter a username and/or password";
    }
    else {
        echo "Your account has been successfully created.";
    }
}

?>

登录

<?php 

$username = $_POST['username'];          
$password = $_POST['password'];

$encryptedPassword = sha1($password);

try {   

$result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
$result->bindParam(':user', $username);
$result->bindParam(':pass', $password);
$result->execute();
$rows = $result->fetch(PDO::FETCH_NUM);
}

catch (Exception $e) {
echo "Could not retrieve data from database";
exit();
}

if ($rows) {
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['loggedin'] = true;
include("inc/redirect.php");

} else {
if (isset($_POST['login'])) {
    echo "Username or password incorrect (passwords are case sensitive)";
}
}

?>

Answer 1

您需要在查询表之前散列密码，而不是之后：

<?php 

$username = $_POST['username'];          
$password = $_POST['password'];
$passwordEncrypted = sha1($password);

try {   

    $result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $passwordEncrypted);
    $result->execute();

    if ($result->fetch(PDO::FETCH_NUM)) {
        session_start();
        $_SESSION['username'] = $_POST['username'];
        $_SESSION['loggedin'] = true;
        include("inc/redirect.php");

    } else {
        if (isset($_POST['login'])) {
            echo "Username or password incorrect (passwords are case sensitive)";
        }
    }
}

catch (Exception $e) {
    echo "Could not retrieve data from database";
    exit();
}

?>