我正在使用PHPASS存储密码加密并在登录时进行比较。
这是代码
ob_start();
$userName = $password = "";
$userNameErr = $passwordErr = $loginErr = "";
$hasher = new PasswordHash(8, false);
if (isset($_POST['subEmployee'])) {
if (empty($_POST['user_name'])) {
$userNameErr = "User name is required";
} else {
$userName = check_input($_POST['user_name']);
if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
$userNameErr = "Only letters, numbers and '_' allowed";
}
}
if (empty($_POST['password'])) {
$passwordErr = "Password is required";
}else{
$password = check_input($_POST['password']);
}
$active = 1;
$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
if ($loginUser->execute()) {
$results = $loginUser->get_result();
if ($results->num_rows == 1) {
$row = $results->fetch_object();
$stored_hash = "*";
$stored_hash = $row->password;
$check = $hasher->CheckPassword($password, $stored_hash);
if ($check) {
$_SESSION['name'] = $row->first_name;
$_SESSION['userId'] = $row->id;
$_SESSION['user'] = 1;
print_r($_SESSION);
header("Location:?pid=4");
} elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
$loginErr = "'Invalid Login Information'";
}
}
}
}
到目前为止,它总是会给出相同的消息'无效的登录信息'我已经制作了存储我的密码的注册表格。
$hasher = new PasswordHash(8, false);
$hash = md5(rand(0, 1000));
if (empty($_POST['password'])) {
$error ['passwordErr'] = "Password is required";
} elseif (strlen($_POST['password']) < 8) {
$error ['passwordErr'] = "<span class='notAllowed'>Chose password with at last eight characters</span>";
} elseif (strlen($_POST['password']) > 72) {
$error ['passwordErr'] = "<span class='notAllowed'>Password max 72 characters</span>";
} elseif ($_POST['password'] !== $_POST['confirm']) {
$error ['passwordErr'] = "Password don't matching";
} else {
$password = $hasher->HashPassword($password);
}
当我检查我的数据库时,密码似乎已经消失了,用户名就在那里,一切都很好
但仍然收到此消息为&#39;无效的登录信息&#39;。
这两行是否正确
$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
登录代码确定。
我也试过这个
更新 我更新了我的代码
if (isset($_POST['subEmployee'])) {
$error=array();
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
if (empty($_POST['user_name'])) {
$userNameErr = "User name is required";
} else {
$userName = check_input($_POST['user_name']);
if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
$userNameErr = "Only letters, numbers and '_' allowed";
}
}
if (empty($_POST['password'])) {
$passwordErr = "Password is required";
} else {
$password = $_POST['password'];
}
$active = 1;
$loginUser = $db->prepare("SELECT password FROM hired_person_info WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
if ($loginUser->execute()) {
$results = $loginUser->get_result();
if ($results->num_rows == 1) {
$row = $results->fetch_object();
$stored_hash = "*";
$stored_hash = $row->password;
$check = $hasher->CheckPassword($password, $stored_hash);
if ($check) {
$_SESSION['name'] = $row->first_name;
$_SESSION['userId'] = $row->id;
$_SESSION['user'] = 1;
print_r($_SESSION);
header("Location:?pid=4");
} elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
$loginErr = "'Invalid Login Information'";
}
} else {
$loginErr = "'We didn't find any users'";
}
}
}
从PHPass手册中添加
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
仍然没有运气可以告诉我在哪里错误
修改
这是我的check_input()代码
function check_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
我正在使用PHP 5.3.29
由于
答案 0 :(得分:0)
这些是我要检查的一些要点:
1)在您的注册处理程序中,您直接检查POST变量,但是对于哈希您采用变量$ password,我将以相同的方式访问输入,例如:
$password = $hasher->HashPassword($_POST['password']);
2)不建议将函数check_input()用于密码,因为您计算了哈希值,并且此哈希值无论如何都是“安全的”。即使对于其他用户输入,也应该像您一样对其进行验证,但应该尽可能晚地进行转义,并且仅针对特定输出。因此,不应该为用户输入调用函数htmlspecialchars(),而是在输出到HTML之前。
3)在您的登录处理程序中,您使用POST变量访问密码一次,使用变量$ password访问密码。变量$ password仅在if语句中设置,因此如果输入为空,则填写错误,但继续使用未初始化的$ password变量。要么只是在开头填充变量,要么总是使用POST变量。
4)由于您使用的是PHP 5.3.29,因此可以将新函数password_hash()与compatibility pack一起使用。我不认为PHPass库是这里的问题,不过这里是新函数的一个例子。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
5)另一个常犯的错误是,用于存储哈希值的数据库字段太短,需要一段varchar(60)。也许你可以提供一个密码哈希(当然只是一个例子)?
答案 1 :(得分:0)
此库需要PHP&gt; = 5.3.7或将$ 2y修复程序反向移植到其中的版本(例如RedHat提供)。