带加密的PHP登录系统(不登录)

时间:2014-11-30 10:24:12

标签: php encryption

我正在努力解决我想要做的事情。我正在尝试创建一个基本的密码管理系统,但我无法使用加密密码登录。使用帐户管理页面后,密码确实在数据库上加密,但是当我退出并尝试重新登录时,密码不再有效。

这是我的登录页面和更改密码页面的代码:我知道SQL注入是一个问题,但我还没有完成对该部分的排序。

LOGIN2.PHP 

    <link rel="stylesheet" type="text/css" href="default.css" media="screen"/>
    <?php 
     session_start();
    $dbname = "obsidian";

    if(isset($_POST['sub'])){ 



        //encryption for salt---------------------------------

        function makeSalt($salt_length)
        {   // only these characters are allowed in salt strings
        $saltset = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

        // note that this method only allows up to 6 duplicate chars
        $saltchar = "$saltset$saltset$saltset$saltset$saltset$saltset";
        // shuffles string randomly & grabs 1st n for our salt
        $salt = substr(str_shuffle($saltchar), 0, $salt_length);

        return $salt;
        }

        //Login Script


        $username = $_POST['username'] ; 
        $password = $_POST['password'] ;

        //ENCRYPTS THE USER ENTERED PASSWORD

        $salt = '$5$rounds=1000$' . makeSalt(16) . '$';
            $hashed_password = crypt($password, $salt);

        //CONNECT TO DB

        $mysqli = new mysqli('localhost','admin1', 'password1','obsidian' ) or die('Failed to connect to DB' . $mysqli->error );

        $sSQL = "select * from users where password='$hashed_password' AND username='$username'";

        $result = mysqli_query( $mysqli, $sSQL);

        if (!$sSQL) {
            printf("Error: %s\n", mysqli_error($con));
            exit();
        }

        $row = mysqli_fetch_array($result);


        if(!$row){
            echo "<div>";
            echo "No existing user or wrong password.";
            echo "</div>";
            session_destroy();
            header("Location: index.php");
        }

        else {  

            $_SESSION['userid'] =$username; 


            header("Location: index.php"); 

        }


     }

   ?>

这是用于更改密码的PHP脚本。 

<?php 



 session_start();
$dbname = "obsidian";

if(isset($_POST['change'])){ 


    //CREATE SALT-------------------------------------------------------------------------

    function makeSalt($salt_length)
    {   // only these characters are allowed in salt strings
    $saltset = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    // note that this method only allows up to 6 duplicate chars
    $saltchar = "$saltset$saltset$saltset$saltset$saltset$saltset";
    // shuffles string randomly & grabs 1st n for our salt
    $salt = substr(str_shuffle($saltchar), 0, $salt_length);
    return $salt;
    }


    //Entered credentials from form---------------------------------------------------------

    $oldPass = $_POST['oldPass'];
    $newPass = $_POST['newPass'];
    $newPassAgain = $_POST['newPassAgain'];


    //Connect to DB-------------------------------------------------------------------------------

    $mysqli = new mysqli('localhost','admin1', 'password1','obsidian' ) or die('Failed to connect to DB' . $mysqli->error );


    //CHECK IF OLD PASS AND SESSION ID EQUAL-----------------------------------------------------

    $sSQL = ("select * from users WHERE password='$oldPass' AND username= '" . $_SESSION["userid"] . "'");

     $result = mysqli_query( $mysqli, $sSQL);


    if (!$sSQL) 

      {
           printf("Error: %s\n", mysqli_error($con));
           exit();
      } 


   $row = mysqli_fetch_array($result);

    //IF THERE ARE NO ROWS, DO NOT CHANGE PASSWORD-------------------------------------------

    if(!$row)

      {
           echo "<div>";
           echo "No existing user or wrong password.";
           header("Location: account.php");
           echo "</div>";
           session_destroy();
      }


    //IF THERE ARE ROWS ENCRYPT AND CHANGE PASSWORD---------------------------------------- 

    else {


        $salt = '$5$rounds=1000$' . makeSalt(16) . '$';
        $hashed_password = crypt($password, $salt);



        if ($newPass == $newPassAgain){
        $update = ("UPDATE users SET password = '$hashed_password' where username= '" .               $_SESSION["userid"] . "'") or die (mysql_error());

        if ($mysqli->query($update) === TRUE) {
            echo "Record updated successfully";
            header("Location: success.php");
        } 

        else {
            echo "Error updating record: " . $mysqli->error;
        }

    }       
}

}

赞赏正确方向的一点。

由于

2 个答案:

答案 0 :(得分:1)

您每次都使用随机盐哈希密码。

示例代码:

echo makeSalt(16) . "\n";
echo makeSalt(16) . "\n";
echo makeSalt(16) . "\n";

输出:

oAv0cGIzTECgF1gI
ypZegnQoS.d/inqA
6PPXZ/.YfupGuxPg

为了使散列相同,盐必须相同。虽然为每个用​​户提供相同的盐并不像为每个用户使用不同的哈希那样安全。 例如,您可以考虑根据用户名创建salt,或者存储salt和hash,然后从数据库中为尝试登录的用户选择salt和加密密码。 如果您使用相同的盐哈希提供的密码,则哈希应该匹配。

此外,请考虑使用sha_512而不是sha__256。 ($ 5 $ - &gt; $ 6 $)。 还可以考虑使用mysqli或PDO,因为您将获得更安全的查询(更少的机会进行mysql注入)。

(伪代码)

(Insert code)
$salt = '$6$rounds=1000$' . makeSalt(16) . '$';
$hashed_password = crypt($password,$salt);
insert into table (password_salt,password_hash...) values($salt,$hashed_password,.....);

(Verify code)
select password_salt, password_hash.... from table where user = username
if(hash_equals(crypt($password,$password_salt),$password_hash)){
  //OK
}else{
  //Wrong password!
}

答案 1 :(得分:0)

您的加密系统是安全可靠的

$user_input = "someone";
$pass_input = "something";
$auth_credentials = hash("sha512", md5(sha1(md5($user_input . $pass_input))));
echo $auth_credentials;

测试和反馈。

相关问题
最新问题