-2

我有一个允许用户输入密码的注册表单,我使用 crypt 散列这个密码

在注册表中它可以工作,并且密码在数据库中经过哈希处理和安全,但是在登录时密码不匹配并且系统不登录

任何人都可以帮助我???

register.php 中的哈希密码

//crypt password
      require_once('include/blowfish.php'); 

      $bcrypt = new Bcrypt(4);
      $hash = $bcrypt->hash($pass1);
      echo $hash;


//************Insert all the members's input to the database**************************//
$query = mysql_query("INSERT INTO members(user_name, first_name, last_name, 
governorate, district, village, birth_date, email_address, specialization,
password, registered_date )

VALUES('$username', '$firstname', '$lastname', '$governorate', '$district', 
'$village', '$bdate', '$email', '$specialization', '$hash', now())")

or die(mysql_error());

login.php 中的哈希密码

$sql=mysql_query( "SELECT user_id, email_address, first_name, user_name 
FROM members 
WHERE email_address='$email'AND password= '$pass' 
LIMIT 1") or die("error in members table");
$login_check = mysql_num_rows($sql);

  if($login_check > 0)
  {
      $row = mysql_fetch_array($sql);
      $row_pass = $row['password'];
      //***********for hashing password***************************//
require_once('include/blowfish.php');
 $bcrypt = new Bcrypt(4);
 if($bcrypt->verify($pass, $row_pass))
  {

          $id = $row['user_id'];
          $_SESSION['user_id'] = $id;

          $firstname = $row['first_name'];
          $_SESSION['first_name']= $firstname;

          $email = $row['email_address'];
          $_SESSION['email_address']= $email;

          $username = $row['user_name'];
          $_SESSION['user_name']= $username;


          mysql_query("UPDATE members SET last_log_date=now() 
WHERE user_id='$id'");

        //$message = "correct email and passworddd!!";  
          header("Location: profile.php");
         // exit();   
  }//close if 
 }//close if 
  else
  {
      $message = "incorrect Email or Password!!";
      //exit();
  }
4

1 回答 1

0

它不起作用,因为在第一个片段中,您将 $hash 保存到 members.password 中。

在第二个片段中,您从输入中检查真实密码。您需要先将其修改为散列:

$bcrypt = new Bcrypt(4);
$hash = $bcrypt->hash($pass);

$query = sprintf("SELECT user_id, email_address, first_name, user_name 
FROM members
WHERE email_address='%s'AND password= '%s'",
        mysql_real_escape_string($email),
        mysql_real_escape_string(hash));

$sql=mysql_query( $query) or die("error in members table");

$login_check = mysql_num_rows($sql);

if($login_check > 0)
{
    ...

此外,您的代码容易受到 SQL 注入的影响,并且使用了已弃用的 mysql_* 函数。

于 2013-05-19T11:40:14.037 回答