2

我使用以下代码将密码存储到 mysql

    if (!$errors) {
    // include the connection file
    require_once('connection.inc.php');
    $conn = dbConnect('write');
    // create a salt using the current timestamp
    $salt = time();
    // encrypt the password and salt
    $pwd = sha1($password, $salt);
    echo $pwd;
    // prepare SQL statement
    $sql = 'INSERT INTO users (username, salt, pwd)
            VALUES (?, ?, ?)';
    $stmt = $conn->stmt_init();
    $stmt = $conn->prepare($sql);
    // bind parameters and insert the details into the database
    $stmt->bind_param('sis', $username, $salt, $pwd);
    $stmt->execute();
    if ($stmt->affected_rows == 1) {
        $success = "$username has been registered. You may now log in.";
    } elseif ($stmt->errno == 1062) {
        $errors[] = "$username is already in use. Please choose another username.";
        } else {
            $errors[] = 'Sorry, there was a problem with the database.';
        }

}

密码字段 pwd 定义为 CHAR 40。当我检查它时,我发现它包含以下内容:

ƒ7Ž{9‰ù|EòsŒs”ºþ

无论我输入什么密码。自然,当我尝试使用以下代码登录时,这与密码无法比较:

    require_once('connection.inc.php');
$conn = dbConnect('read');
// get the username's details from the database
$sql = 'SELECT salt, pwd FROM users WHERE username = ?';
// initialize and prepare  statement
$stmt = $conn->stmt_init();
$stmt->prepare($sql);
// bind the input parameter
$stmt->bind_param('s', $username);
// bind the result, using a new variable for the password
$stmt->bind_result($salt, $storedPwd);
$stmt->execute();
$stmt->fetch();
// encrypt the submitted password with the salt
// and compare with stored password
if (sha1($password . $salt) == $storedPwd) {
    $_SESSION['authenticated'] = 'Jethro Tull';
    // get the time the session started
    $_SESSION['start'] = time();
    session_regenerate_id();
    header("Location: $redirect");
    exit;
} else {
    // if no match, prepare error message
    echo "  pwd " . $password;
    echo "  salt " . $salt;
    echo "  sha1 " . sha1($password . $salt);
    echo "  St. pwd " . $storedPwd;
    $error = 'Invalid username or password';
}

有谁知道为什么会这样?

4

3 回答 3

3

不确定这是否是您唯一的问题,但

 $pwd = sha1($password, $salt);

不是你如何使用该sha1功能。http://php.net/manual/en/function.sha1.php

time()将始终评估为TRUE,因此您将原始二进制格式插入到您的 char 密码字段中。导致您所看到的问题。

你可能想要做的是

 $pwd = sha1($password . $salt);
                       ^
于 2012-10-17T19:32:15.847 回答
0

sha1 默认返回二进制哈希,您将其存储在 char 字段中 - char 字段受字符集转换的影响,这意味着 mysql 正在修改哈希。将字段转换为二进制/varbinary,而不是进行字符集转换

于 2012-10-17T19:34:20.023 回答
0

您有一个简单的错字,在将数据插入数据库时​​,您使用逗号 ( ,) 而不是点 ( )。.

// encrypt the password and salt
$pwd = sha1($password, $salt);

将此与验证密码时生成哈希和的位置进行比较:

// encrypt the submitted password with the salt
// and compare with stored password
if (sha1($password . $salt) == $storedPwd) {

由于两者具有非常不同的含义,因此很小的错误将总体上产生巨大的后果。

您想形成一个由$password加号组成的新字符串,$salt但您现在给出了sha1两个参数而不是一个。

The second argument to sha1 controls what kind of data the function will return, plaintext (if false, default) vs raw data (if true).

于 2012-10-17T19:35:37.957 回答