哈希密码没有出现它应该是什么(PHP)

时间:2016-08-14 04:46:39

标签: php mysqli hash

所以我试图建立一个相当简单的登录系统,但由于某种原因,发送到我的数据库的散列密码没有正确散列。我检查了我的数据库,存储的密码不是sha256与生成的盐附加的哈希不是它应该是什么。这是我生成上传到数据库的哈希的代码:

[CmdletBinding()]
param(
  [string][Parameter(Mandatory=$True)][ValidateNotNullOrEmpty()] $SourcePath,
  [string][Parameter(Mandatory=$True)][ValidateNotNullOrEmpty()] $FilePattern,
  [string][Parameter(Mandatory=$True)][ValidateNotNullOrEmpty()] $BuildRegex,
  [string]$BuildRegexIndex,
  [string]$ReplaceRegex,
  [string]$ReplacePrefix,
  [string]$ReplaceSuffix,
  [string]$FailIfNoMatchFound,
  [string]$BuildNumber = $ENV:BUILD_BUILDNUMBER
)

更新:我更改了上面的代码以反映我使用password_hash所做的更改。但问题仍然存在。

这是我的登录php:

<?php
include "connection.php";
//Check Connection
if ($connect->connect_error) {
    echo "Failed to connect to server: " . mysqli_connect_error();
}

//Reset all Checks
$username_exists = NULL;
$email_valid = NULL;
$passwords_match = NULL;
$password_acceptable = NULL;
$password_long_enough = NULL;
$password = NULL;

//Prepare Statements
    //Check for Username Existing Statement
    $check_username_match = $connect->stmt_init();
    $sql_check_username = "SELECT id FROM $tablename WHERE username=?";
    $check_username_match->prepare($sql_check_username);
    $check_username_match->bind_param("s", $username);

    //Insert Into Table Statement
    $register_query = $connect->stmt_init();
    $sql_register = "INSERT INTO $tablename (username, email, password, token, active, level) VALUES (?, ?, ?, ?, ?, ?)";
    $register_query->prepare($sql_register);
    $register_query->bind_param("sssssi", $username, $email, $hashedpassword, $token, $activated, $level);

//Execute When Form Submitted
if($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = mysqli_escape_string($connect, $_POST['username']);
    $email = mysqli_escape_string($connect, $_POST['email']);
    $password = $_POST['password'];
    $confirm_password = $_POST['confirm_password'];

    //Check if Username Exists
    $check_username_match->execute();
    $check_username_match->store_result();
    $numrows = $check_username_match->num_rows;
    if ($numrows==0){
        $username_exists = false;
    } else {
        $username_exists=true;
    }

    //Check if Passwords Match
    if ($password==$confirm_password){
        $passwords_match = true;
    } else {
        $passwords_match = false;
    }

    //Check if Email Address is Valid
    if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
        $email_valid = true;
    } else {
        $email_valid = false;
    }

    //Check if Passwords Contains Special Characters
    $uppercase = preg_match('@[A-Z]@', $password);
    $lowercase = preg_match('@[a-z]@', $password);
    $number    = preg_match('@[0-9]@', $password);
    //Check if Password is Long Enough
    $password_length = strlen($password);
    if ($password_length>8){
        $password_long_enough = true;
    } else {
        $password_long_enough = false;
    }

    //Validate Password
    if(!$uppercase || !$lowercase || !$number || !$password_long_enough || $password = '') {
        $password_acceptable = false;
    } else {
        $password_acceptable = true;
    }

    //Register if all Validations Met
    if(!$username_exists && $email_valid && $passwords_match && $password_acceptable){
        //$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
        $token = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
        $activated="No"; 
        $level = 0;
        $hashedpassword = password_hash($password, PASSWORD_DEFAULT);
        $register_query->execute();
        $message = "Hello, welcome to the site.\r\n\r\nPlease click on the following link to activate your account:\r\nlocalhost/login_system/activate.php?token=".$token;
        mail($email, 'Please Activate Your Account', $message);
        header("Location: login.php");
    }
}
?>

1 个答案:

答案 0 :(得分:2)

您应该将要哈希的密码提供给PHP的password_hash();函数。像这样...... 

$password = $_POST['password'];

$options = [
    'cost' => 12,
];
echo password_hash($password, PASSWORD_BCRYPT, $options);

然后,当您想检查数据库中是否存在密码时,使用password_verify();就像这样...... 

$password = PASSWORD_HERE;
$stored_hash = HASH_HERE;

if (password_verify($password, $stored_hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
相关问题
最新问题