1

自从我第一次开始学习有关散列和加盐密码的知识以来,我的代码就遇到了很多麻烦。首先,我学习如何使用 MD5 对密码进行“散列”(是的,不要再这样做了),然后使用散列和 SHA256,最后使用 bcrypt(或者至少我认为它是 bcrypt)。这是我现在的注册码:

注册.php

<html>
<head>
<title>PDO - hashing algorithm</title>
</head>
<body>
    <?php
        if(isset($_POST['submit'])) {
            define( "DB_DSN", "mysql:host=localhost;dbname=test" );
            define ( "DB_USER", "root" );
            define ( "DB_PASS", "" );

            try {
            $connect = new PDO (DB_DSN, DB_USER, DB_PASS);
            $query = "CREATE TABLE IF NOT EXISTS `users` (
                    `id` INT(11) PRIMARY KEY AUTO_INCREMENT NOT NULL,
                    `username` VARCHAR(100) NOT NULL,
                    `password` VARCHAR(500) NOT NULL
            )ENGINE=InnoDB DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_swedish_ci;";
            $stmt = $connect->prepare($query);
            $stmt->execute();

            } catch (PDOException $e) {
                echo $e->getMessage();
            }
            // Let's hash the password
            $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
            $hashedpassword = crypt($_POST['password']. '$2a$12$' .$salt);
        try {
        $query = "INSERT INTO `users` (`username`, `password`) VALUES (:username, :password)";
        $stmt = $connect->prepare($query);
        $stmt->execute(array(
                            ':username' => $_POST['username'],
                            ':password' => $hashedpassword
                        ));
                if ($stmt->rowCount() == 1) {
                    echo "Well done, user has registered successfully";

                } else {
                    echo "An error occured.. Please try again";
                }
        } catch (PDOException $e) {
            echo $e->getMessage();  
        }
    }
    ?>
    <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
    <p>Username: <input type="text" name="username"/></p>
    <p>Password: <input type="password" name="password" /></p>
    <input type="submit" name="submit" />
    </form>
</body>
</html>

这段代码确实有效并且会加密密码,所以这不是我的主要问题。我的主要问题是,当我想创建登录页面时,如何比较用户输入的密码和存储在数据库中的密码?

这是我的 login.php 自动取款机。告诉我,如果你看到我没有看到的东西,但我无法让它工作,它不会从数据库中输出用户名和密码。

<?php
        try {
        define( "DB_DSN", "mysql:host=localhost;dbname=test" );
        define ( "DB_USER", "root" );
        define ( "DB_PASS", "" );

            $connect = new PDO (DB_DSN, DB_USER, DB_PASS);

        } catch (PDOException $e) {

            echo $e->getMessage();
        }

        if(isset($_POST['submit'])) {

        $query = "SELECT * FROM `users` WHERE (username) = :username";
        $stmt = $connect->prepare($query);
        $stmt->execute(array(
                        ':username' => $_POST['username']
                        ));
            if($stmt->rowCount() == 0) {
                echo "User doesn't exist";
            } 
                $row = $stmt->fetch();

                if (crypt($_POST['password'], $row['password']) == $row['password']) {
                    echo $row['username']. $row['password'];
                } else {
                    return false;
                }
        }
    ?>
4

1 回答 1

1

Please see this link for a tutorial on how to do it: Using bcrypt to store passwords

EDIT:

I found some of my working code that I will post here to hopefully help.

First, I use a custom function:

function better_crypt($input, $rounds = 7){
    $salt = "";
    $salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9));
    for($i=0; $i < 22; $i++) {
        $salt .= $salt_chars[array_rand($salt_chars)];
    }

    return crypt($input, sprintf('$2a$%02d$', $rounds) . $salt);
}

Then when the account is first created, store the $password_hash in the database:

$password_hash = better_crypt($_POST['password']);

Then when logging in, compare the submitted password versus the password hash in the database:

// $password = submitted login form password
// $row['password'] = the password hash in the database
if(crypt($password, $row['password']) == $row['password']) {
//Success!
于 2013-05-23T00:31:07.207 回答