自从我第一次开始学习有关散列和加盐密码的知识以来,我的代码就遇到了很多麻烦。首先,我学习如何使用 MD5 对密码进行“散列”(是的,不要再这样做了),然后使用散列和 SHA256,最后使用 bcrypt(或者至少我认为它是 bcrypt)。这是我现在的注册码:
注册.php
<html>
<head>
<title>PDO - hashing algorithm</title>
</head>
<body>
<?php
if(isset($_POST['submit'])) {
define( "DB_DSN", "mysql:host=localhost;dbname=test" );
define ( "DB_USER", "root" );
define ( "DB_PASS", "" );
try {
$connect = new PDO (DB_DSN, DB_USER, DB_PASS);
$query = "CREATE TABLE IF NOT EXISTS `users` (
`id` INT(11) PRIMARY KEY AUTO_INCREMENT NOT NULL,
`username` VARCHAR(100) NOT NULL,
`password` VARCHAR(500) NOT NULL
)ENGINE=InnoDB DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_swedish_ci;";
$stmt = $connect->prepare($query);
$stmt->execute();
} catch (PDOException $e) {
echo $e->getMessage();
}
// Let's hash the password
$salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22);
$hashedpassword = crypt($_POST['password']. '$2a$12$' .$salt);
try {
$query = "INSERT INTO `users` (`username`, `password`) VALUES (:username, :password)";
$stmt = $connect->prepare($query);
$stmt->execute(array(
':username' => $_POST['username'],
':password' => $hashedpassword
));
if ($stmt->rowCount() == 1) {
echo "Well done, user has registered successfully";
} else {
echo "An error occured.. Please try again";
}
} catch (PDOException $e) {
echo $e->getMessage();
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<p>Username: <input type="text" name="username"/></p>
<p>Password: <input type="password" name="password" /></p>
<input type="submit" name="submit" />
</form>
</body>
</html>
这段代码确实有效并且会加密密码,所以这不是我的主要问题。我的主要问题是,当我想创建登录页面时,如何比较用户输入的密码和存储在数据库中的密码?
这是我的 login.php 自动取款机。告诉我,如果你看到我没有看到的东西,但我无法让它工作,它不会从数据库中输出用户名和密码。
<?php
try {
define( "DB_DSN", "mysql:host=localhost;dbname=test" );
define ( "DB_USER", "root" );
define ( "DB_PASS", "" );
$connect = new PDO (DB_DSN, DB_USER, DB_PASS);
} catch (PDOException $e) {
echo $e->getMessage();
}
if(isset($_POST['submit'])) {
$query = "SELECT * FROM `users` WHERE (username) = :username";
$stmt = $connect->prepare($query);
$stmt->execute(array(
':username' => $_POST['username']
));
if($stmt->rowCount() == 0) {
echo "User doesn't exist";
}
$row = $stmt->fetch();
if (crypt($_POST['password'], $row['password']) == $row['password']) {
echo $row['username']. $row['password'];
} else {
return false;
}
}
?>