1

我有一个奇怪的问题。我将发布两段代码,希望能清楚地说明我的问题。以下代码根据用户输入的密码创建哈希,我使用的是 hmac 和 bcrypt:

if(isset($_POST['username'])){
    $username = preg_replace('#[^a-z0-9]#i', '', $_POST['username']);
    $email1 = strip_tags($_POST['email1']);
    $email2 = strip_tags($_POST['email2']);
    $pass1 = strip_tags($_POST['pass1']);
    $pass2 = strip_tags($_POST['pass2']);
    // make sure no fields are blank /////
    if(trim($username) == "" || trim($email1) == "" || trim($pass1) == "" || trim($pass2) == ""){
        echo "Error: All fields are required. Please press back in your browser and try again.";
        $db = null;
        exit();
    }
    /// Make sure both email fields match /////
    if($email1 != $email2){
        echo "Your email fields do not match. Press back and try again";
        exit();
    }
    //// Make sure both password fields match ////
    else if($pass1 != $pass2){
        echo "Your password fields do not match. Press back and try again";
        exit();
    }
    //// create the hmac /////
    $hmac = hash_hmac('sha512', $pass1, file_get_contents('my/path/to/key.txt'));
    //// create random bytes for salt ////
    $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
    //// Create salt and replace + with . ////
    $salt = strtr(base64_encode($bytes), '+', '.');
    //// make sure our bcrypt hash is 22 characters which is the required length ////
    $salt = substr($salt, 0, 22);
    //// This is the hashed password to store in the db ////
    $bcrypt = crypt($hmac, '$2y$12$' . $salt);
        echo $bcrypt;

这段代码工作得很好,并创建了一个看起来像这样的哈希:

$2y$12$Oysi/5oZjF4vlUYx4PvgJ.GSpAQb7njNzSTUnEy/QOFzPxqRpHFV6

我遇到的问题是在执行一些错误处理然后插入哈希密码被切断的数据之后。只是为了让您知道我存储它的字段最初设置为 VARCHAR(255),我什至将其更改为 TEXT,但它仍然被切断。这是我刚刚回显上面密码的其余代码:

//// Create token for activation script ////
    $token = md5($bcrypt);
    //// query to check if email is in the db already ////
    $stmt = $db->prepare("SELECT email FROM members WHERE email=:email1 LIMIT 1");
    $stmt->bindValue(':email1',$email1,PDO::PARAM_STR);
    try{
    $stmt->execute();
    $count = $stmt->rowCount();
    }
    catch(PDOException $e){
        echo $e->getMessage();
            $db = null;
            exit();
    }
    //// query to check if the username is in the db already ////
    $unameSQL = $db->prepare("SELECT username FROM members WHERE username=:username LIMIT 1");
    $unameSQL->bindValue('username',$username,PDO::PARAM_STR);
    try{
        $unameSQL->execute();
        $unCount = $unameSQL->rowCount();
    }
    catch(PDOException $e){
        echo $e->getMessage();
        $db = null;
        exit();
    }
    ///Check if email is in the db already ////
    if($count > 0){
        echo "Sorry, that email is already in use in the system";
        $db = null;
        exit();
    }
    //// Check if username is in the db already ////
    if($unCount > 0){
        echo "Sorry, that username is already in use in the system";
        $db = null;
        exit();
    }
    try{
        $db->beginTransaction();
        $ipaddress = getenv('REMOTE_ADDR');
        $stmt2 = $db->prepare("INSERT INTO members (username, email, password, signup_date, ipaddress) VALUES (:username, :email1, :bcrypt, now(), :ipaddress)");
        $stmt2->bindParam(':username', $username, PDO::PARAM_STR);
        $stmt2->bindParam(':email1',$email1,PDO::PARAM_STR);
        $stmt2->bindParam(':bcrypt',$bcrypt,PDO::PARAM_STR);
        $stmt2->bindParam(':ipaddress',$ipaddress,PDO::PARAM_INT);
        $stmt2->execute();
        /// Get the last id inserted to the db which is now this users id for activation and member folder creation ////
        $lastId = $db->lastInsertId();
        $stmt3 = $db->prepare("INSERT INTO activate (user, token) VALUES ('$lastId', :token)");
        $stmt3->bindValue(':token',$token,PDO::PARAM_STR);
        $stmt3->execute();
        //// Send email activation to the new user ////
        $from = "From: Auto Resposder @ GotCode <admin@gotcode.org>";
        $subject = "IMPORTANT: Activate your gotCode account";
        $link = 'http://www.gotcode.org/activate.php?user='.$lastId.'&token='.$token.'';
        //// Start Email Body ////
        $message = "
Thanks for registering an account at gotCode.org! Were glad you decided to join us in this wacky adventure.
Theres just one last step to set up your account. Please click the link below to confirm your identity and get started.
If the link below is not active please copy and paste it into your browser address bar. See you on the site!

$link
";
        //// Set headers ////
        $headers = 'MIME-Version: 1.0' . "rn";
        $headers .= "Content-type: textrn";
        $headers .= "From: $fromrn";
        /// Send the email now ////
        mail($email1, $subject, $message, $headers, '-f noreply@mywebsite.org');
        $db->commit();
        echo "Thanks for joining! Check your email in a few moments to activate your account so that you may log in. See you on the site!<br />$bcrypt<br />$hmac<br />$salt<br />$token"; 
        exit();
        $db = null;
        exit();
    }
        catch(PDOException $e){
            $db->rollBack();
            echo $e->getMessage();
            $db = null;
            exit();
        }
}

其余代码也可以正常工作,因为数据被插入到数据库中,并且我的电子邮件激活被发送出去。问题是现在散列密码存储在数据库中,如下所示:

$2hm7KFNCFyfM

我很难弄清楚为什么当我只是回显散列密码时,它是一个很好的长散列字符串,但在错误检查并插入数据库之后它被切断了。也许一双额外的眼睛可以发现我的错误?非常感谢!

4

1 回答 1

0

好的...我所要做的就是从 5.2 升级我的 php 版本。

要更具体地说明问题所在:对于 PHP < 5.3,当使用河豚算法时,应该使用

$2a$

大于 PHP 5.2 使用

$2y$

换句话说,在不更新我的 php 版本的情况下,解决此问题的方法是更改​​此行:

$bcrypt = crypt($hmac, '$2y$12$' . $salt);

对此:

$bcrypt = crypt($hmac, '$2a$12$' . $salt);

以防万一有人遇到同样的问题:)

于 2013-04-03T21:48:40.233 回答