0

可能重复:
PHP 密码的安全哈希和盐

我目前是一名学生,我渴望成为一名出色的开发人员。我目前正在练习如何正确加密和散列数据到数据库。

这是我当前的实现:

登录索引.php

<?php

//Takes a password and returns the salted hash
//$password - the password to hash
//returns - the hash of the password (128 hex characters)
function HashPassword($password)
{
    $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
    $hash = hash("sha256", $salt . $password); //prepend the salt, then hash
    //store the salt and hash in the same string, so only 1 DB column is needed
    $final = $salt . $hash; 
    return $final;
}

//Validates a password
//returns true if hash is the correct hash for that password
//$hash - the hash created by HashPassword (stored in your DB)
//$password - the password to verify
//returns - true if the password is valid, false otherwise.
function ValidatePassword($password, $correctHash)
{
    $salt = substr($correctHash, 0, 64); //get the salt from the front of the hash
    $validHash = substr($correctHash, 64, 64); //the SHA256
    echo $salt ."    salt" ."<br/> ";
    echo $validHash . " hash " ."<br/> ";
    echo $correctHash . " password " ."<br/> ";


    $testHash = hash("sha256", $salt . $password); //hash the password being tested

    //if the hashes are exactly the same, the password is valid
    return $testHash === $validHash;
}


?>

<?php
include 'login_config.php';
if(isset($_POST['login']))
{
    $password = $_POST['password'];
    $email = $_POST['email'];
    $Get_User = "Select * From users Where Email = '$email'";
    $hashed_password = "";
    $result = mysql_query($Get_User);
    if(mysql_num_rows($result) > 0)
    {
        while($row = mysql_fetch_array($result))
        {
            $hashed_password = $row['password'];

        }
    }


    $valid = ValidatePassword($password,$hashed_password);

    if($valid)
    {
        echo "<br/>";
        echo "Yes,Login successful";
    }
    else
    {
        echo "<br/>";
        echo "Oops,Wrong Email or Password";
    }
}
?>


<form action="" method="post">
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="login" />
</form>

login_create.php

<form action="" method="post">
Firstname: <input type="text" name="fname" /><br />
Lastname: <input type="text" name="lname" /><br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="save" />
</form>

<?php

include 'login_config.php';

function HashPassword($password)
{
    $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
    $hash = hash("sha256", $salt . $password); //prepend the salt, then hash
    //store the salt and hash in the same string, so only 1 DB column is needed
    $final = $salt . $hash; 
    return $final;

}


if(isset($_POST['save']))
{
    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $email = $_POST['email'];
    $password = HashPassword($_POST['password']);




    $insert = "Insert Into users (Fname,Lname,Email,Password) Values ('$fname','$lname','$email','$password')";
    $query = mysql_query($insert);

}


?>



</form>

我想知道如何进一步改进我目前的实施,以便我进一步发展我的技能,同时向专家/专业人士学习。我是否至少以某种方式正确实现了散列?

先生/女士,您的回答将有很大帮助,我们将不胜感激。谢谢++

4

0 回答 0