我正在尝试通过使用这篇文章使 phpass 工作:https ://sunnyis.me/blog/secure-passwords
当我创建一个新用户时没有问题。一切都上传到数据库,我得到一个看起来像这样的加盐哈希:
$2a$08$5i8TUw7Ego09blkDF6Fv.OVGyKMZjLJ7HzSfRZpX62EbsrcxhLbKK
但问题是尝试登录帐户时的验证。
<?php
ini_set('display_errors', 1);
error_reporting(E_ALL ^ E_NOTICE);
require("passwordhash.php");
if (isset($_POST['submit'])){
if(!empty($_POST['email']) && !empty($_POST['pass'])) {
$email=($_POST['email']);
$password = $_POST["pass"];
/* Getting the correct matching email account for login */
$query="SELECT * FROM user WHERE email='$email'";
$result = $mysqli->query($query);
$numrows=mysqli_num_rows($result);
if($numrows!=0){
if (strlen($password) < 72) {
/* Here is the code for retreiving the hash from database using SELECT and then trying to match it with the $password earlier in the code */
$hasher = new PasswordHash(8, false);
$stored_hash = "*";
$query = "SELECT pass FROM user WHERE email='$email'";
if($row = $result->fetch_array()) {
$stored_hash = $row['pass'];
}
$check = $hasher->CheckPassword($password, $stored_hash);
/* at this if statement it never goes through */
if ($check) {
$_SESSION['email'] = $_POST['email'];
header('Location: '. $_SERVER["REQUEST_URI"]);
die;
}
/* It always ends up in this else statement*/
else {
$feedback="Invalid username or password! $stored_hash $password";
}
} else {
$feedback="Password must be 72 characters or less";
}
} else {
$feedback="Invalid username or password!";
}
} else {
$feedback="All fields are required!";
}
}
echo "$feedback";
?>
在它总是结束的 else 语句中,我还试图查看我发送给函数的变量包含什么。$passwords 包含我在字段中作为密码输入的任何内容,并且 $stored_hash 按预期从数据库中检索完全散列的密码。
这是功能:
function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash == $stored_hash;
}
所以我的问题是某些东西不能正常工作,因为变量 $check 返回一个空字符串。我的 PHP 版本(5.3.23)可能有问题还是代码有问题?