我按照网上的教程创建了一个php登录Web应用程序。 我按照本教程: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
除了登录功能,我在这里从github获取所有其他代码: https://github.com/peredurabefrog/phpSecureLogin
当我完全按照描述完成所有操作时,日志记录不起作用 我试图通过添加大量的echo语句找到失败点,看看它失败的地方,并在调用password_verify()时在登录函数中找到它:
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
echo "<p>START USER CHECK</p>";
if ($stmt = $mysqli->prepare("SELECT id, username, password
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password);
$stmt->fetch();
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
echo "<p>USER IN DB WITH EMAIL: $stmt->num_rows</p>";
echo "<p>PW, UN, DBPW: $user_id, $username, $db_password</p>";
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
echo "<p>WE ARE BRUTING</p>";
return false;
} else {
echo "<p>AT LEAST WE ARE NOT BRUTING</p>";
// Check if the password in the database matches
// the password the user submitted. We are using
// the password_verify function to avoid timing attacks.
if (password_verify($password, $db_password)) {
echo "<p>PW VERIFIED</p>";
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $db_password . $user_browser);
// Login successful.
return true;
} else {
echo "<p>PW NOT VERIFIED</p>";
echo "<p>Password from form (hashed with sha512?): $password</br>Password from DB: $db_password</p>";
// Password is not correct
// We record this attempt in the database
$now = time();
//$mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
结果:
处理登录
用户检查
带电子邮件的数据库中的用户:1
PW,UN,DBPW:1,sec_user, $ 2Y $ 10 $ IrzYJi10j3Jy / K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G
至少我们不是在追求
PW未经验证
表单中的密码(使用sha512散列?): 445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a 来自DB的密码: $ 2Y $ 10 $ IrzYJi10j3Jy / K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G
我看不出问题,哈希密码是不正确的?
我在forms.js脚本中添加了一些输出,并打印了非散列和散列的pw。
function formhash(form, password) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);
alert("PW: "+password.value+" -- Hashed: "+p.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.submit();
}
PW:6ZaxN2Vzm9NUJT2y - Hashed:445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a
我已经检查了其他类似的问题,但他们的解决方案失败了或者不适用于我的问题。
对不起,我迷路了。