加密的PHP登录系统(不登录)

Question

我正在努力解决我正在尝试做的事情的一个方面。我正在尝试创建一个基本的密码管理系统，但我无法使用加密密码登录。使用帐户管理页面后，密码确实会在数据库中加密，但当我注销并尝试重新登录时，密码将不再起作用。

以下是我的登录页面和更改密码页面的代码:我知道SQL注入是一个问题，但我还没有抽出时间来解决这一部分。

LOGIN2.PHP

    <link rel="stylesheet" type="text/css" href="default.css" media="screen"/>
    <?php 
     session_start();
    $dbname = "obsidian";

    if(isset($_POST['sub'])){ 



        //encryption for salt---------------------------------

        function makeSalt($salt_length)
        {   // only these characters are allowed in salt strings
        $saltset = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

        // note that this method only allows up to 6 duplicate chars
        $saltchar = "$saltset$saltset$saltset$saltset$saltset$saltset";
        // shuffles string randomly & grabs 1st n for our salt
        $salt = substr(str_shuffle($saltchar), 0, $salt_length);

        return $salt;
        }

        //Login Script


        $username = $_POST['username'] ; 
        $password = $_POST['password'] ;

        //ENCRYPTS THE USER ENTERED PASSWORD

        $salt = '$5$rounds=1000$' . makeSalt(16) . '$';
            $hashed_password = crypt($password, $salt);

        //CONNECT TO DB

        $mysqli = new mysqli('localhost','admin1', 'password1','obsidian' ) or die('Failed to connect to DB' . $mysqli->error );

        $sSQL = "select * from users where password='$hashed_password' AND username='$username'";

        $result = mysqli_query( $mysqli, $sSQL);

        if (!$sSQL) {
            printf("Error: %s\n", mysqli_error($con));
            exit();
        }

        $row = mysqli_fetch_array($result);


        if(!$row){
            echo "<div>";
            echo "No existing user or wrong password.";
            echo "</div>";
            session_destroy();
            header("Location: index.php");
        }

        else {  

            $_SESSION['userid'] =$username; 


            header("Location: index.php"); 

        }


     }

   ?>

这是用于更改密码的PHP脚本。

<?php 



 session_start();
$dbname = "obsidian";

if(isset($_POST['change'])){ 


    //CREATE SALT-------------------------------------------------------------------------

    function makeSalt($salt_length)
    {   // only these characters are allowed in salt strings
    $saltset = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    // note that this method only allows up to 6 duplicate chars
    $saltchar = "$saltset$saltset$saltset$saltset$saltset$saltset";
    // shuffles string randomly & grabs 1st n for our salt
    $salt = substr(str_shuffle($saltchar), 0, $salt_length);
    return $salt;
    }


    //Entered credentials from form---------------------------------------------------------

    $oldPass = $_POST['oldPass'];
    $newPass = $_POST['newPass'];
    $newPassAgain = $_POST['newPassAgain'];


    //Connect to DB-------------------------------------------------------------------------------

    $mysqli = new mysqli('localhost','admin1', 'password1','obsidian' ) or die('Failed to connect to DB' . $mysqli->error );


    //CHECK IF OLD PASS AND SESSION ID EQUAL-----------------------------------------------------

    $sSQL = ("select * from users WHERE password='$oldPass' AND username= '" . $_SESSION["userid"] . "'");

     $result = mysqli_query( $mysqli, $sSQL);


    if (!$sSQL) 

      {
           printf("Error: %s\n", mysqli_error($con));
           exit();
      } 


   $row = mysqli_fetch_array($result);

    //IF THERE ARE NO ROWS, DO NOT CHANGE PASSWORD-------------------------------------------

    if(!$row)

      {
           echo "<div>";
           echo "No existing user or wrong password.";
           header("Location: account.php");
           echo "</div>";
           session_destroy();
      }


    //IF THERE ARE ROWS ENCRYPT AND CHANGE PASSWORD---------------------------------------- 

    else {


        $salt = '$5$rounds=1000$' . makeSalt(16) . '$';
        $hashed_password = crypt($password, $salt);



        if ($newPass == $newPassAgain){
        $update = ("UPDATE users SET password = '$hashed_password' where username= '" .               $_SESSION["userid"] . "'") or die (mysql_error());

        if ($mysqli->query($update) === TRUE) {
            echo "Record updated successfully";
            header("Location: success.php");
        } 

        else {
            echo "Error updating record: " . $mysqli->error;
        }

    }       
}

}   

如果方向正确，我们将不胜感激。

谢谢

Answer 1

你每次都会用一个随机的盐来散列密码。

示例代码：

echo makeSalt(16) . "\n";
echo makeSalt(16) . "\n";
echo makeSalt(16) . "\n";

输出：

oAv0cGIzTECgF1gI
ypZegnQoS.d/inqA
6PPXZ/.YfupGuxPg

为了使散列相同，盐也必须相同。尽管对每个用户使用相同的盐并不像对每个用户使用不同的散列那样安全。例如，您可以考虑根据用户名创建salt，或者存储salt和散列，然后从数据库中为尝试登录的用户选择salt和加密密码。然后，如果您使用相同的盐对提供的密码进行散列，则散列应该匹配。

此外，请考虑使用sha_512而不是sha__256。($5$ -> $6$)。还可以考虑使用mysqli或PDO，因为这样可以获得更安全的查询(使用mysql注入的机会更少)。

(伪代码)

(Insert code)
$salt = '$6$rounds=1000$' . makeSalt(16) . '$';
$hashed_password = crypt($password,$salt);
insert into table (password_salt,password_hash...) values($salt,$hashed_password,.....);

(Verify code)
select password_salt, password_hash.... from table where user = username
if(hash_equals(crypt($password,$password_salt),$password_hash)){
  //OK
}else{
  //Wrong password!
}

Answer 2

你的加密系统就是这样安全可靠的

$user_input = "someone";
$pass_input = "something";
$auth_credentials = hash("sha512", md5(sha1(md5($user_input . $pass_input))));
echo $auth_credentials;

测试和反馈。