我有一个mysql / php hash(sha1)登录问题

时间:2016-06-05 22:23:38

标签: php hash login passwords

我有一个问题,即在数据库中使用密码进行密码登录。 我的当前脚本只是告诉我“密码错误”消息,即使它正确。

-(void)signup:(NSDictionary *)dictParam completionBlock:(BlackRockManagerCompletionBlock)pCompletionBlock{
NSString *strRequestUrl = KSignup;
[Helper showGlobalProgressHUDWithTitle:@"Loading"];
AFHTTPRequestOperationManager *operationManager = [AFHTTPRequestOperationManager manager];
operationManager.responseSerializer = [AFJSONResponseSerializer serializer];
operationManager.requestSerializer = [AFJSONRequestSerializer serializer];

operationManager.responseSerializer.acceptableContentTypes = [operationManager.responseSerializer.acceptableContentTypes setByAddingObject:@"Text/html"];

AFHTTPRequestOperation *operation = [operationManager POST:strRequestUrl parameters:dictParam success:^(AFHTTPRequestOperation *operation, id responseObject) {
    [Helper dismissGlobalHUD];
    NSDictionary* dictResponse = [NSJSONSerialization
                                  JSONObjectWithData:operation.responseData //1
                                  options:kNilOptions
                                  error:nil];

    NSLog(@"%@",dictResponse);

    if ([[dictResponse valueForKey:@"status"] intValue] == 1) {
        UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
        [alt show];
        pCompletionBlock(YES);
    }
    else if([[dictResponse valueForKey:@"status"] intValue] == 2){
        UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
        [alt show];
        pCompletionBlock(NO);
    }else{
        UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
        [alt show];
    }


} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
    [Helper dismissGlobalHUD];
    NSLog(@"Failed %@",operation.responseString);
}];
[operation start];
}

2 个答案:

答案 0 :(得分:6)

你这样做是错误的。数据库密码已经散列 我希望 ,但是用户输入了纯文本密码,因此您需要对用户输入的内容进行哈希查看与您在数据库中的哈希匹配

$s = $mysqli->query("SELECT * FROM `users` WHERE `email`='{$_POST['email']}'") or die();
$i = $s->fetch_assoc();
if(sha1($_POST['password']) == $i['password']) {
    echo "works";
} else {
    echo "bad password";
}

<强>然而

  

请不要滚动您自己的密码哈希。 PHP提供password_hash()   和password_verify()请使用它们,我可能希望有一天使用您的网站   这里有一些good ideas about passwords   如果您使用的是5.5 there is a compatibility pack available here

之前的PHP版本

同时

  

您的脚本面临SQL Injection Attack的风险   看看Little Bobby Tables偶然发生了什么   if you are escaping inputs, its not safe!   使用prepared statement and parameterized statements

答案 1 :(得分:-1)

以下是如何安全地使用mysql验证sha的示例。

<?php
  // Basic php MYSQL authentication with crypted password

  $username = $_POST['username'];
  $password = $_POST['password'];
  $salt = "CrazyassLongSALTThatMakesYourUsersPasswordVeryLong123!!312567__asdSdas";
  $password = hash('sha256', $salt.$password);
  //echo $password;

  // Mysql connection
  $mysqli = new mysqli("localhost","mysqluser","mysqlpassword","mysqldatabase");
  $stmt = $mysqli->prepare('SELECT userid FROM Users WHERE password = ? AND username = ?');
  // (ss -> string, string) Always bind parameters and use prepared statement to improve security
  $stmt->bind_param("ss", $password, $username);
  $stmt->execute();
  $stmt->bind_result($userid );

  if (!empty($stmt->fetch())) {
    // if fetch is not empty we have results and password hash was correct
    echo "User was found";
  } else
    echo "User was not found";

$mysqli->close();
?>