0

所以我正在尝试实现 Bcrypt,我可以让它很好地加密密码,但不能让它从数据库中检索密码。它破坏了网站。

这是我知道它不是最安全的代码,但我将在完成此工作后实施 PDO 准备好的语句。

check_login.php:

<?php
session_start();
require 'functions.php';

ob_start();
$host="localhost"; // Host name 
$username="user"; // Mysql username 
$password="XXXXX"; // Mysql password 
$db_name="DB"; // Database name 
$tbl_name="CLL_users"; // Table name 
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 

$mypassword = $bcrypt->verify($_POST['mypassword'], "$Hash");


// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$myusername = mysql_real_escape_string($myusername);
$sql="SELECT * FROM $tbl_name WHERE user_name='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['myusername'] = $myusername;
    session_is_registered("myusername");
    session_is_registered("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

main_login.php:

<html>
    <head>
        <title> Welcome</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
            <LINK href="CLL.css" rel="stylesheet" type="text/css">
    </head>
 <body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<form name="form1" method="post" action="check_login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
     <?php $_SESSION['myusername'];?>
    </body>
</html>

登录_成功.php:

<?php
session_start();
session_is_registered(myusername);
$userCurrent = $_SESSION['myusername'];
$host="localhost"; // Host name 
$username="user"; // Mysql username 
$password="XXXXX"; // Mysql password 
$db_name="DB"; // Database name 
$tbl_name="CLL_users"; // Table name 
date_default_timezone_set('America/Chicago');
$dateCreated = date('m/d/Y h:i:s a', time());

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$sql="UPDATE CLL_users SET last_login= '$dateCreated' WHERE user_name= '$userCurrent'";
$result=mysql_query($sql);

if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
    <head>
        <title> Welcome</title>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
            <LINK href="CLL.css" rel="stylesheet" type="text/css">
    </head>
 <body>
     <?php echo $userCurrent ?>
<p>Login Successful</p>
</body>
</html>

函数.php:

    <?php

class Bcrypt {
  private $rounds;
  public function __construct($rounds = 12) {
    if(CRYPT_BLOWFISH != 1) {
      throw new Exception("bcrypt not supported in this installation. See http://php.net/crypt");
    }

    $this->rounds = $rounds;
  }

  public function hash($input) {
    $hash = crypt($input, $this->getSalt());

    if(strlen($hash) > 13)
      return $hash;

    return false;
  }

  public function verify($input, $existingHash) {
    $hash = crypt($input, $existingHash);

    return $hash === $existingHash;
  }

  private function getSalt() {
    $salt = sprintf('$2a$%02d$', $this->rounds);

    $bytes = $this->getRandomBytes(16);

    $salt .= $this->encodeBytes($bytes);

    return $salt;
  }

  private $randomState;
  private function getRandomBytes($count) {
    $bytes = '';

    if(function_exists('openssl_random_pseudo_bytes') &&
        (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL slow on Win
      $bytes = openssl_random_pseudo_bytes($count);
    }

    if($bytes === '' && is_readable('/dev/urandom') &&
       ($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) {
      $bytes = fread($hRand, $count);
      fclose($hRand);
    }

    if(strlen($bytes) < $count) {
      $bytes = '';

      if($this->randomState === null) {
        $this->randomState = microtime();
        if(function_exists('getmypid')) {
          $this->randomState .= getmypid();
        }
      }

      for($i = 0; $i < $count; $i += 16) {
        $this->randomState = md5(microtime() . $this->randomState);

        if (PHP_VERSION >= '5') {
          $bytes .= md5($this->randomState, true);
        } else {
          $bytes .= pack('H*', md5($this->randomState));
        }
      }

      $bytes = substr($bytes, 0, $count);
    }

    return $bytes;
  }

  private function encodeBytes($input) {
    // The following is code from the PHP Password Hashing Framework
    $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

    $output = '';
    $i = 0;
    do {
      $c1 = ord($input[$i++]);
      $output .= $itoa64[$c1 >> 2];
      $c1 = ($c1 & 0x03) << 4;
      if ($i >= 16) {
        $output .= $itoa64[$c1];
        break;
      }

      $c2 = ord($input[$i++]);
      $c1 |= $c2 >> 4;
      $output .= $itoa64[$c1];
      $c1 = ($c2 & 0x0f) << 2;

      $c2 = ord($input[$i++]);
      $c1 |= $c2 >> 6;
      $output .= $itoa64[$c1];
      $output .= $itoa64[$c2 & 0x3f];
    } while (1);

    return $output;
  }
}


function valid_email($email) {
    return filter_var($email, FILTER_VALIDATE_EMAIL);
}
?>
4

1 回答 1

1

在 check_login.php 中包含 functions.php 但我看不到您在此行之前声明 $bcrypt 的位置,

$mypassword = $bcrypt->verify($_POST['mypassword'], "$Hash");

如果它是一个静态函数,你可以尝试

$mypassword = Bcrypt::verify($_POST['mypassword'], "$Hash");
于 2012-11-02T02:16:12.317 回答