如何使用散列密码登录页面

时间:2014-12-30 06:45:54

标签: php mysql hash passwords

我在用户注册时对密码进行了哈希处理...但是当我尝试登录页面时,显示用户名或密码错误...

以下是散列码 

// Get values from form
$fullname=$_POST['userid'];
$username=$_POST['username'];
$email=$_POST['uemail'];
$password=$_POST['passid'];
$birthdate=$_POST['birthdate'];
$country=$_POST['mytextarea'];
$hash = hash('sha256', $password);

function createSalt()
{
    $text = md5(uniqid(rand(), true));
    return substr($text, 0, 3);
}

$salt = createSalt();
$password = hash('sha256', $salt . $hash);
// Insert data into mysql
$sql="INSERT INTO tbl_registration(`fullname`,`username`,`email`,`password`,`birthdate`, `country`) VALUES('{$fullname}', '{$username}', '{$email}', '{$password}', '{$birthdate}', '{$country}' )";
$result=mysql_query($sql);

以下是我使用登录代码... 

// userName and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1 ){
    if(crypt($password, $row['Password']) == $row['Password'])
    {       
        header("location:index.php");
        exit();
    }
}
else {
    //echo "Wrong Username or Password";
    header("Location:login.php?errorMssg=".urlencode("Wrong Username or Password"));
}

那我现在要做什么..

3 个答案:

答案 0 :(得分:2)

您正在将散列/加密密码与文本密码进行比较。

例如: 5a44e87906e4e5dbf7991d5784fd56f14dc426aafbd8dbb7b1e0953e1399f2ad不等于foo

注意:不推荐使用mysql函数。您应该使用PDO或其他。您的代码可以写得更清洁一点。如果您需要更好的解释,我可以帮助您。

编辑的散列码:

// Get values from form
$fullname=$_POST['userid'];
$username=$_POST['username'];
$email=$_POST['uemail'];
$password=$_POST['passid'];
$birthdate=$_POST['birthdate'];
$country=$_POST['mytextarea'];
$hash = hash('sha256', $password);

function createSalt()
{
    return '2123293dsj2hu2besdbsjdsd';
}

$salt = createSalt();
$password = hash('sha256', $salt . $hash);
// Insert data into mysql
$sql="INSERT INTO tbl_registration(`fullname`,`username`,`email`,`password`,`birthdate`, `country`) VALUES('{$fullname}', '{$username}', '{$email}', '{$password}', '{$birthdate}', '{$country}' )";
$result=mysql_query($sql);

编辑的登录代码:

// userName and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$salt = createSalt();
$hash = hash('sha256', $mypassword);
$mypassword = hash('sha256', $salt . $hash);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1 ){
    if(crypt($password, $row['Password']) == $row['Password'])
    {       
        header("location:index.php");
        exit();
    }
}
else {
    //echo "Wrong Username or Password";
    header("Location:login.php?errorMssg=".urlencode("Wrong Username or Password"));
}

function createSalt()
{
    return '2123293dsj2hu2besdbsjdsd';
}

答案 1 :(得分:0)

以下是一些说明,但请注意,不是建议良好做法

假设您拥有最小字段 ID,用户名,密码的数据库表。因此,当您从密码字段中获取输入值时,可以使用您选择的任何方法对其进行加密。

示例:$password = sha1($_POST['password']);在这种情况下,用户输入值' abcdef'。因为它是使用sha1进行加密,所以你得到的值从 abcdef 变为 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2

然后将其保存到数据库,因此在数据库密码列中,您的值为 1f8ac10f23c5b5bc1167bda84b833e5c057a77d2

现在,当用户想要登录时,他/她输入 abcdef < =这是您从输入字段获得的内容。因此,在比较数据库与输入的值之前,您必须再次将输入提供的值转换为 sha1 加密。

$password = sha1($_POST['password'];

现在您获得了加密值,因此要比较相同类型的数据。前进,让我们进行比较。

$query = "SELECT * FROM tableName WHERE (username='$username' AND password='$password')";
$result = mysqli_query($conn, $query);
if (@mysqli_num_rows($result) == 1)
{
   //if one database row (record) matches the input start the session, fetch the record and insert the three values in an array
    session_start();
    $_SESSION = mysqli_fetch_array($result, MYSQLI_ASSOC);
    header("Location: any/where/you/like");
}
else
{
    // No match was made
    $errors[] = 'Sorry no record match with the data you have submitted';
}

我认为这是比较加密值的基础。再次,这是只是插图&不是解决方案或建议

答案 2 :(得分:0)

您应该切换到PHP函数password_hash()。 SHA-256算法,特别是静态盐都不适合散列密码。

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

如果您对更多信息感兴趣,请查看我的tutorial关于安全存储密码的信息。

相关问题
最新问题