文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Phpass哈希密码检查

Phpass哈希密码检查
EN

Stack Overflow用户
提问于 2013-02-09 19:40:48
回答 1查看 590关注 0票数 0

在过去的3周里,我一直在开发我自己的社交网络,我正在使用以下代码片段使用phpass将密码散列到我的数据库中。

代码语言:javascript
复制
// END FORM DATA ERROR HANDLING
// Begin Insertion of data into the database

require("php_includes/PasswordHash.php");
$hasher = new PasswordHash(8,false);
$p_hash = $hasher->HashPassword($p);
if (strlen($p_hash)>=20){

    // Add user info into the database table for the main site table
    $sql = "INSERT INTO users (username, email, password, gender, country, ip, signup, lastlogin, notescheck)       
            VALUES('$u','$e','$p_hash','$g','$c','$ip',now(),now(),now())";
    $query = mysqli_query($db_conx, $sql); 
    $uid = mysqli_insert_id($db_conx);

我的小问题是在我的登录页面上,我有一个简单的表单和以下代码块在我的页面顶部…

代码语言:javascript
复制
include_once("php_includes/check_login_status.php");
// If user is already logged in, header that weenis away
if($user_ok == true){
    header("location: user.php?u=".$_SESSION["username"]);
    exit();
}
// AJAX CALLS THIS LOGIN CODE TO EXECUTE
if(isset($_POST["e"])){
    // CONNECT TO THE DATABASE
    include_once("php_includes/db_conx.php");
    // GATHER THE POSTED DATA INTO LOCAL VARIABLES AND SANITIZE
    $e = mysqli_real_escape_string($db_conx, $_POST['e']);
    require('php_includes/PasswordHash.php');
    $hasher = new PasswordHash(8, FALSE);
    $hash = $hasher->HashPassword($p);
    $checked = $hasher->CheckPassword($p, $hash);
    $p = $_POST["p"];
    // GET USER IP ADDRESS
    $ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
    // FORM DATA ERROR HANDLING
    if($e == "" || $p == ""){
        echo "login_failed";
        exit();
    } else {
    // END FORM DATA ERROR HANDLING
        $sql = "SELECT id, username, password FROM users WHERE email='$e' AND activated='1' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
        $row = mysqli_fetch_row($query);
        $db_id = $row[0];
        $db_username = $row[1];
        $db_pass_str = $row[2];
        if($p != $db_pass_str){
            echo "login_failed";
            exit();
        } else {
            // CREATE THEIR SESSIONS AND COOKIES
            $_SESSION['userid'] = $db_id;
            $_SESSION['username'] = $db_username;
            $_SESSION['password'] = $db_pass_str;
            setcookie("id", $db_id, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("user", $db_username, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("pass", $db_pass_str, strtotime( '+30 days' ), "/", "", "", TRUE); 
            // UPDATE THEIR "IP" AND "LASTLOGIN" FIELDS
            $sql = "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
            $query = mysqli_query($db_conx, $sql);
            echo $db_username;
            exit();
        }
    }
    exit();
}

基本上发生的事情是,我得到了一个错误信息,当尝试登录!有人有什么想法吗?

对答案的欢呼就像这样引导它...

代码语言:javascript
复制
?><?php
// AJAX CALLS THIS LOGIN CODE TO EXECUTE
if(isset($_POST["e"])){
    // CONNECT TO THE DATABASE
    include_once("php_includes/db_conx.php");
    // GATHER THE POSTED DATA INTO LOCAL VARIABLES AND SANITIZE
    $e = mysqli_real_escape_string($db_conx, $_POST['e']);
    require('php_includes/PasswordHash.php');
    $hasher = new PasswordHash(8, FALSE);
    $hash = $hasher->HashPassword($p);
    $checked = $hasher->CheckPassword($p, $hash);
    $hash = $_POST["p"];
    // GET USER IP ADDRESS
    $ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
    // FORM DATA ERROR HANDLING
    if($hash != $db_pass_str){//and not $p != $dp_pass_str
       echo "login_failed";
       exit();
    } else {
    // END FORM DATA ERROR HANDLING
        $sql = "SELECT id, username, password FROM users WHERE email='$e' AND activated='1' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
        $row = mysqli_fetch_row($query);
        $db_id = $row[0];
        $db_username = $row[1];
        $db_pass_str = $row[2];
            // CREATE THEIR SESSIONS AND COOKIES
            $_SESSION['userid'] = $db_id;
            $_SESSION['username'] = $db_username;
            $_SESSION['password'] = $db_pass_str;
            setcookie("id", $db_id, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("user", $db_username, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("pass", $db_pass_str, strtotime( '+30 days' ), "/", "", "", TRUE); 
            // UPDATE THEIR "IP" AND "LASTLOGIN" FIELDS
            $sql = "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
            $query = mysqli_query($db_conx, $sql);
            echo $db_username;
            exit();
        }
    exit();
}
?>

但是我仍然收到一个登录错误

php
hash
mysqli
phpass
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2013-02-09 19:45:14

您正在将$p设置为POST密码(未经过哈希处理)

代码语言:javascript
复制
$p = $_POST["p"];

看起来应该是:

代码语言:javascript
复制
 if($hash != $db_pass_str){         //and not $p != $dp_pass_str
  echo "login_failed";

例如,将存储的散列密码与输入的密码和散列的密码进行比较(以便比较两个散列)

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/14787720

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档