1. 首頁
  2. 問答
  3. PHP的密碼哈希和比賽了問題

PHP的密碼哈希和比賽了問題

2016-07-14 55 views
0

基本上我需要添加到這個代碼在login.php以匹配register.php創建哈希:PHP的密碼哈希和比賽了問題

的login.php

if (isset($_POST['Login'])) { 
     $username = $_POST['email']; 
     $store_password = $_POST['pword']; 
     check($username, $store_password); 
    } 
    function check($username, $pword){ 
     $conn = mysqli_connect('localhost', 'root', 'root', 'Registrar'); 
     $check = "SELECT * FROM Users WHERE email='$username'"; 
     $check_q = mysqli_query($conn, $check) or die("<div class='loginmsg'>Error on checking Username<div>"); 
     if (mysqli_num_rows($check_q) == 1) { 
      login($username, $pword); 
     } 
     else{ 
      echo "<div id='loginmsg'>Wrong Email or Password</div>"; 
     } 
    } 


function login($username, $pword){ 
    $conn = mysqli_connect('localhost', 'root', 'root', 'Registrar'); 
     $login = "SELECT * FROM Users WHERE email='$username' and pword='$pword'"; 
     $login_q = mysqli_query($conn, $login) or die('Error on checking Username and Password'); 
     if (mysqli_num_rows($login_q) == 1){ 
    header('Location: account.php'); 
    echo"<div id='loginmsg'> Logged in as $username </div>"; 
      $_SESSION['username'] = $username; 
     } 
     else { 
      echo "<div id='loginmsg'>Wrong Password </div>"; 
     } 
    }

到在register.php

register.php匹配的密碼哈希:

$uname = $_POST['uname']; 
$email = $_POST['email']; 
$pword = $_POST['pword']; 
$store_password = password_hash('pword', PASSWORD_BCRYPT, array('cost' => 10));

任何援助將不勝感激。

來源

2016-07-14 AJ Riley

+3

您很容易受到[sql注入攻擊](http://bobby-tables.com)的影響。你需要展示你如何存儲密碼(我希望你的意思是「哈希」,你從不**存儲原始明文密碼)以及你如何進行加密/散列/比較。 –

+2

從數據庫中拉出散列'SELECT pword FROM users WHERE email =?'然後與'password_verify($ userSubmittedPassword,$ hashFromDatabase)進行比較'並且@MarcB避開了,使用預準備語句進行查詢,而不是字符串插值 – Steve

+0

散列是存儲在數據庫中,而不是純文本密碼,對嗎? – pmahomme

回答

2

你必須使用功能password_verify這樣

if (password_verify($given_password, $stored_password)) { 
    echo 'Password is valid!'; 
} else { 
    echo 'Invalid password.'; 
}

所以,你必須從數據庫取回的結果對於給定的用戶名和比較的密碼。

事實上

function login($username, $pword){ 
    $conn = mysqli_connect('localhost', 'root', 'root', 'Registrar'); 
     $login = "SELECT email, pword FROM Users WHERE email='$username'"; 
     $login_q = mysqli_query($conn, $login) or die('Error on checking Username and Password'); 
     if (mysqli_num_rows($login_q) == 1){ 
    if(password_verify($pword, mysqli_fetch_field($login_q,1))){ 
     header('Location: account.php'); 
     echo"<div id='loginmsg'> Logged in as $username </div>"; 
      $_SESSION['username'] = $username; 
     } 
    else { 
    echo "<div id='loginmsg'>Wrong Password </div>"; 
     } 
    } 
    else { 
    echo "<div id='loginmsg'>Unknown Username </div>"; 
} 
    }

來源

2016-07-14 15:47:08

+0

感謝您的回覆,唯一的問題在於它到底會如何運作?在我的登錄功能的上下文? –

+0

再次感謝你,mysqli_fetch_field()期望完全1參數,給出2 ..似乎是唯一的問題現在 –

+0

對不起,也許我的答案是不完整的,我現在沒有我的筆記,但其含義是這樣的。 –

1

你應該獨立的任務,你會想(通過類或方法)有可能2-4個左右功能。這是一個非常簡單的工作流程示例。我打算使用PDO,因爲我知道它更好:

// This is just simple but you can make this as elaborate as you want, but 
// if you always use the same function to connect, you will will find troubleshooting 
// that much easier. 
function connection() 
    { 
     return new PDO('mysql:host=localhost;dbname=Registrar','root','root'); 
    } 
// You want to make a simple validation function where that's all it does, 
// you don't want to put a bunch of html in here because you can reuse this function 
// elsewhere in other scripts if need be. 
function validate($email,$password,$con) 
    { 
     // Just look up by email only 
     $sql = "SELECT * FROM `Users` WHERE `email`= ?"; 
     $query = $con->prepare($sql); 
     $query->execute(array($email)); 
     $result = $query->fetch(PDO::FETCH_ASSOC); 
     // If you don't get a row, just return false (didn't validate) 
     if(empty($result['email'])) 
      return false; 
     // $result['password'] should have been stored as a hash using password_hash() 
     return password_verify($password,$result['password']); 
    } 
// Do a quick updater to make it easier on yourself. 
// You don't use this in this script but it gives you an idea about what to 
// do when you are saving passwords via password_hash() 
function updatePassword($email,$password,$con) 
    { 
     $hash = password_hash($password, PASSWORD_DEFAULT); 
     $sql = 'UPDATE `Users` set `password` = ? where `email` = ?'; 
     $query = $con->prepare($sql); 
     $query->execute(array($hash,$email)); 
    } 

session_start(); 
$con = connection(); 
// Check there is a post and that post is valid email address 
// At this point you can add more messaging for errors... 
if(!empty($_POST['email']) && filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) { 
    // Run our validation function 
    $valid = validate($_POST['email'],$_POST['password'],$con); 
    if($valid) { 
     $_SESSION['username'] = $_POST['email']; 
     header('Location: account.php'); 
     exit; 
    } 
    else { 
     die("<div id='loginmsg'>Wrong Password</div>"); 
    } 
}

來源

2016-07-14 18:56:13 Rasclatt

+0

感謝您的回覆,但這種困惑我:P –

+0

嗯(在我看來)更人性化的你可以讓你的代碼更好。函數允許你這樣做。它們還允許一致性,因爲您可以重用這些功能。登錄功能應該是業務部分,即檢查用戶名和密碼並向視圖報告顯示用戶內容的部分。你應該把你的代碼分解成更小,更易於閱讀的部分 – Rasclatt

+0

我注意了一下,看看它是否更清晰。 – Rasclatt

相關問題

 相關問題