0

我用来验证的内容

// username and password sent from form 
$myusername= filter_var($_POST['myusername'], FILTER_SANITIZE_STRING); 
$mypassword= filter_var($_POST['mypassword'], FILTER_SANITIZE_STRING); 

$sql = $dbh->prepare("SELECT * FROM $tblname WHERE UserLogin='$myusername'");
$sql->execute();
$sql = $sql->fetch();

$password_hash = $sql['UserPass'];

/*** close the database connection ***/
$dbh = null;

if(crypt($mypassword, $password_hash) == $password_hash){

我用来创建密码的东西

$salt = blowfishSalt();
$mypassword = crypt($mypassword, $salt);

$stmt = $dbh->prepare('INSERT INTO Users(UserLogin, UserPass, UserEmail, admin) VALUES(:UserLogin, :UserPass, :UserEmail, :admin)');
$stmt->execute(array(
    ':UserLogin' => $myusername,
    ':UserPass'  => $mypassword,
    ':UserEmail' => $myemail,
    ':admin'     => $admin
));

河豚盐()

function blowfishSalt($cost = 13) {
    if (!is_numeric($cost) || $cost < 4 || $cost > 31) {
        throw new Exception("cost parameter must be between 4 and 31");
    }
    $rand = array();
    for ($i = 0; $i < 8; $i += 1) {
        $rand[] = pack('S', mt_rand(0, 0xffff));
    }
    $rand[] = substr(microtime(), 2, 6);
    $rand = sha1(implode('', $rand), true);
    $salt = '$2a$' . sprintf('%02d', $cost) . '$';
    $salt .= strtr(substr(base64_encode($rand), 0, 22), array('+' => '.'));
    return $salt;
}

必须为函数删除 {},以便它在 stackoverflow 中正确格式化。我还使用 char(128) 将密码存储在 mysql 数据库中。

4

1 回答 1

0

你在验证码中有这个:

crypt($mypassword, $password_hash)

这是创建代码:

$mypassword = crypt($mypassword, $salt);

当然这些都应该使用 $mypassword 和 $salt 吗?

于 2013-08-15T16:08:57.563 回答