我熟悉crypt系统,但我尝试实现一些散列函数,但是在用户注册后我无法登录。这是我有哈希的类
class PassHash {
// blowfish
private static $algo = '$2a';
// cost parameter
private static $cost = '$10';
// mainly for internal use
public static function unique_salt() {
return substr(sha1(mt_rand()),0,22);
}
// this will be used to generate a hash
public static function hash($password) {
return crypt($password,
self::$algo .
self::$cost .
'$' . self::unique_salt());
}
// this will be used to compare a password against a hash
public static function check_password($hash, $password) {
$full_salt = substr($hash, 0, 29);
$new_hash = crypt($password, $full_salt);
return ($hash == $new_hash);
}
}
这是登录表单
include 'misc/database.inc.php';
require ("misc/hash.php");
if(isSet($_POST['submit'])) {
$pdo = Database::connect();
$username=$_POST['username'];
$password="";
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1"); //Limiting result to one only.
$stmt->bindParam(':username', $username);
$stmt->execute();
$res = $stmt -> fetch(PDO::FETCH_OBJ); // Asks to fetch as an object.
$password = $res->password;
if (PassHash::checkHash($password, $_POST['password'])) {
if ($res['level'] == 1)
{
$_SESSION['firstname'] = $res['firstname'];
$_SESSION['lastname'] = $res['lastname'];
$_SESSION['email'] = $res['email'];
header( "location: users/main.php");
}
else
{
header("location: index.php");
}
} else
{
echo "can't enter";
}
我一直在error。同样的密码(我使用123321进行测试)每次存储不同的hash或者注册表格中是否有错误也是正常的吗?
这是userAdd文件。
if ( !empty($_POST) && isset($_POST['submit'] ))
{
// keep track post values
$username= $_POST['username'];
$pw = new PassHash();
$myHash = $pw->hash($_POST['password']);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
// update data
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE users set username = ?, password = ?, firstname = ?, lastname = ?, email = ?, user_image = ? WHERE user_id = ?";
$q = $pdo->prepare($sql);
$q-execute(array($username,$myHash,$firstname,$lastname,$email,$pathForDB,$user_id));
答案 0 :(得分:2)
认为我发现了您的具体错误。 您要发送一个空白密码变量进行验证,看看这里,我评论了我编辑的重要部分。
require ("misc/hash.php");
if(isSet($_POST['submit'])) {
$pdo = Database::connect();
$username=$_POST['username'];
$password="";
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1"); //Limiting result to one only.
$stmt->bindParam(':username', $username);
$stmt->execute();
$res = $stmt -> fetch(PDO::FETCH_OBJ); // Asks to fetch as an object.
// PASSWORD IS STILL EMPTY HERE!
// Must fill it out, to be the hashed password from database
$password = $res->password;
if (PassHash::check_password($password, $_POST['password'])) {
这可以解决您的问题吗?
你可以尝试一下吗?
class PassHash {
protected function salter() {
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0; $i < 22; $i++) {
$salt .= $salt_chars[array_rand($salt_chars)];
}
return $salt;
}
public function hash($input, $rounds = 7)
{
return crypt($input, sprintf('$2a$%02d$', $rounds) . $this->salter());
}
public function checkHash($password, $hash) {
if( crypt($password, $hash) == $hash ) {
return true;
}
return false;
}
}
$pw = new PassHash();
$myHash = $pw->hash("1234");
if( $pw->checkHash("1234", $myHash) ) {
echo "I did it!";
} else {
echo "I diden't do it!";
}