这是我检查密码的哈希码,hashing.php
<?php
//compare password with hashed one
public static function check_password($hash,$password) {
$full_salt=substr($hash,0,29);
$new_hash=crypt($password,$full_salt);
return ($hash==$new_hash);
}
?>
这是login.php
<?php
require("scripts/hashing.php");
$password=$_POST['txtPassword'];
//checking in database if password exists or not
$checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'");
$resultPassword=mysql_fetch_array($checkPassword);
if(!hashing::check_password($resultPassword['Password'],$password)) {
//back to login
}
?>
问题在于,即使用户输入了错误的密码,也允许用户登录。
修改
<?php
class hashing {
//blowfish
private static $algo='$2a';
//cost parameter
private static $cost='$10';
public static function unique_salt() {
return substr(sha1(mt_rand()),0,22);
}
//generate a hash
function myhash($password) {
return crypt($password,self::$algo.self::$cost.'$'.self::unique_salt());
}
//compare password with hashed one
public static function check_password($hash,$password) {
$full_salt=substr($hash,0,29);
$new_hash=crypt($password,$full_salt);
return ($hash==$new_hash);
}
}
?>
答案 0 :(得分:1)
您从$ _POST中提取原始密码并将其与散列密码进行比较。
// Encrypted so that it can match in the database, otherwise it will never match up
$password = my_crypt_fnction($_POST['txtPassword']);
//checking in database if password exists or not
$checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'");
答案 1 :(得分:0)
好的,我使用md5来解决它。
注册时:
$pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$insertQuery="INSERT INTO $tbl_name(Password) VALUES ('".$pass_hash."')";
$insert=mysql_query($insertQuery) or die ("Failed to register");
登录时:
$pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$checkLogin=mysql_query("SELECT * from $tbl_name WHERE Username='".$username."'AND Password='".$pass_hash."'");
if(mysql_num_rows($checkLogin)==1) {
$row=mysql_fetch_array($checkLogin);
echo "Login success!";
}
else {
echo "Login failed!";
}