哈希密码记录错误

时间:2015-10-13 09:21:49

标签: php sql

好的,所以当我定义变量'$ password'时,我使用'sha1'哈希我的密码,然后在登录阶段,我再次使用'sha1'但是我的错误消息无效的登录凭据是唯一发生的事情。

为registration.php 

pcap_open_live()

Login.php 

   $password = sha1($_POST['password']);
   $password_escaped = mysqli_real_escape_string ($db, $password);
   $query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename_escaped','$surname_escaped','$email_escaped','$securityq_escaped','$securitya_escaped','$password_escaped')";

成功或失败消息 

    if (!empty($_POST['email']))
{
    $email = $_POST['email'];
    $password = sha1 ($_POST['pass']);
    include('connect-db.php');
    $query = mysqli_query ($db, "SELECT * FROM admin WHERE email = '$email' AND  password = '$password'");

$row = mysqli_fetch_array ($query);
if(!empty($row['email']) AND !empty($row['password']))
{
    $_SESSION['email'] = $row['password'];

这段代码有什么问题,它不会让我使用散列密码登录?

2 个答案:

答案 0 :(得分:1)

您的代码存在一些缺陷,并且有一些可能性来解决它。

快速而肮脏的解决方法是改变线

if (!empty($_POST['email']))
{
    $email = $_POST['email'];
    $password =   ($_POST['pass']);


if (!empty($_POST['email']))
{
    $email = $_POST['email'];
    $password =   sha1($_POST['pass']); //you need to check the hashes not the password itself.

更清洁的解决方法是使用password_hash(请参阅here)。

您的代码将是:

使用mysqli db 

$myslqiDB = new mysqli("localhost", "my_user", "my_password", "world");

注册 

$email = $myslqiDB->real_escape_string($_POST['email']);
$options = [
    'cost' => 12,
];
$password = $myslqiDB->real_escape_string(password_hash ($_POST['password'],PASSWORD_BCRYPT, $options));

$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";

$data = $myslqiDB->query ($query)or die($myslqiDB->error());

登录 

if (!empty($_POST['email']))
{
    $email = $myslqiDB->real_escape_string($_POST['email']);
    $password = $_POST['pass'];
    $query = $myslqiDB->query ("SELECT * FROM admin WHERE email = '$email'");

    $row = $myslqiDB->fetch_assoc ($query);
    if(!empty($row['email']) AND !empty($row['password']))
    {
        if (password_verify ( $password , $row['password'] ) ){
            //loggedin
        }else{
            //wrong password.
        }
    }else{
        //no user with this email
    }

答案 1 :(得分:0)

打印我的$查询以查看与数据库相比得到的密码并检查数据库中的散列密码后,我意识到数据库中的密码丢失了10个字符,我意识到我的VARCHAR设置为30。 ..和密码哈希是40!

设置VARCHAR(40)后,密码哈希就会立即生效。

任何对我有类似问题的人(愚蠢)都要确保数据库中的值足够长。

相关问题
最新问题