猿问

如何从数据库和auth用户收回盐渍密码?

这是我第一次使用salted密码实现成员站点的试验,这些密码都存储在DB(MySQL)中。除了“登录会员”页面中的错误外,一切正常。


错误: 成员登录页面接受会员网站的任何条目,并由于某种原因通过我的检查$result === false


这是检查成员是否存在的代码,请让我知道问题所在:


$servername = 'localhost';

$username = 'root';

$pwd = '';

$dbname = 'lp001';


$connect = new mysqli($servername,$username,$pwd,$dbname);


if ($connect->connect_error){

    die('connection failed, reason: '.$connect->connect_error);

}



$name = mysqli_real_escape_string($connect, $_POST['name']);

$password = mysqli_real_escape_string($connect, $_POST['password']);

$saltQuery = "SELECT salt FROM users WHERE name = '$name';";

$result = mysqli_query($connect, $saltQuery);

if ($result === false){

    die(mysqli_error());

}

$row = mysqli_fetch_assoc($result);

$salt = $row['salt'];


$saltedPW = $password.$salt;

$hashedPW = hash('sha256', $saltedPW);

$sqlQuery = "SELECT * FROM users WHERE name = '$name' AND password = '$hashedPW'";


if (mysqli_query($connect, $sqlQuery)){

    echo '<h1>Welcome to the member site '.$name.'</h1>';

}else{

    echo 'error adding the query: '.$sql_q.'<br> Reason: '.mysqli_error($connect);

}


翻阅古今
浏览 538回答 2
2回答

largeQ

SHA- *算法不能安全存储密码,而是使用函数password_hash()生成安全的BCrypt哈希。它将使盐分别存储变得无关紧要
0

LEATH

开发人员通常很难验证登录密码,因为他们不确定如何处理存储的密码哈希。他们知道密码应该使用适当的函数(如password_hash()进行哈希处理,并将它们存储在一个varchar(255)字段中:// Hash a new password for storing in the database.// The function automatically generates a cryptographically safe salt.$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);在登录表单中,我们无法直接使用SQL验证密码,也无法搜索密码,因为存储的哈希值已被加密。相反,我们......必须从数据库中读取密码哈希,按用户ID搜索然后可以使用password_verify()函数检查找到的哈希值的登录密码。您可以在下面找到一些示例代码,展示如何使用mysqli连接进行密码验证。代码没有错误检查以使其可读:/**&nbsp;* mysqli example for a login with a stored password-hash&nbsp;*/$mysqli = new mysqli($dbHost, $dbUser, $dbPassword, $dbName);$mysqli->set_charset('utf8');// Find the stored password hash in the db, searching by username$sql = 'SELECT password FROM users WHERE username = ?';$stmt = $mysqli->prepare($sql);$stmt->bind_param('s', $_POST['username']); // it is safe to pass the user input unescaped$stmt->execute();// If this user exists, fetch the password-hash and check it$isPasswordCorrect = false;$stmt->bind_result($hashFromDb);if ($stmt->fetch() === true){&nbsp; // Check whether the entered password matches the stored hash.&nbsp; // The salt and the cost factor will be extracted from $hashFromDb.&nbsp; $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb);}请注意,该示例使用预准备语句来避免SQL注入,在这种情况下不需要转义。从pdo连接读取的等效示例可能如下所示:/**&nbsp;* pdo example for a login with a stored password-hash&nbsp;*/$dsn = "mysql:host=$dbHost;dbname=$dbName;charset=utf8";$pdo = new PDO($dsn, $dbUser, $dbPassword);// Find the stored password hash in the db, searching by username$sql = 'SELECT password FROM users WHERE username = ?';$stmt = $pdo->prepare($sql);$stmt->bindValue(1, $_POST['username'], PDO::PARAM_STR); // it is safe to pass the user input unescaped$stmt->execute();// If this user exists, fetch the password hash and check it$isPasswordCorrect = false;if (($row = $stmt->fetch(PDO::FETCH_ASSOC)) !== false){&nbsp; $hashFromDb = $row['password'];&nbsp; // Check whether the entered password matches the stored hash.&nbsp; // The salt and the cost factor will be extracted from $hashFromDb.&nbsp; $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb);}
0
随时随地看视频慕课网APP

相关分类

MySQL
PHP
php如何把参数放在Http Request Heade???? 1 回答
我要回答