PHP網站爲桌面和移動瀏覽器返回不同的SHA512值

Question

我正在開發一個需要會員資格部分的網站。所以，當用戶註冊一個新的成員帳戶時，我使用隨機salt和用戶密碼保存用戶名，隨機salt和SHA512散列密碼，以便不以純文本形式將密碼保存在我的數據庫中。

用戶登錄時似乎存在的問題是，當我從桌面或移動瀏覽器（包括Android和IOS設備）使用網站時，SHA512 JavaScript函數返回的值不同。桌面似乎是正確的。

這裏是我使用來檢查時，在用戶登錄PHP函數：

// login function, check email and password against the database. 
function login($email, $password, $mysqli) { 
// Using prepared statements means that SQL injection is not possible. 
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt 
    FROM members 
    WHERE email = ? 
    LIMIT 1")) { 
    $stmt->bind_param('s', $email); // Bind "$email" to parameter. 
    $stmt->execute(); // Execute the prepared query. 
    $stmt->store_result(); 

    // get variables from result. 
    $stmt->bind_result($user_id, $username, $db_password, $salt); 
    $stmt->fetch(); 

    // hash the password with the unique salt. 
    $password = hash('sha512', $password . $salt); 
    if ($stmt->num_rows == 1) { 
     // If the user exists we check if the account is locked 
     // from too many login attempts 

     if (checkbrute($user_id, $mysqli) == true) { 
      // Account is locked 
      // Send an email to user saying their account is locked 
      $_SESSION['temp'] = "account locked."; 
      return false; 
     } else { 
      // Check if the password in the database matches 
      // the password the user submitted. 
      if ($db_password == $password) { 
       // Password is correct! 
       // Get the user-agent string of the user. 
       $user_browser = $_SERVER['HTTP_USER_AGENT']; 
       // XSS protection as we might print this value 
       $user_id = preg_replace("/[^0-9]+/", "", $user_id); 
       $_SESSION['user_id'] = $user_id; 

       $_SESSION['temp'] = $user_browser; 

       // XSS protection as we might print this value 
       $username = preg_replace("/[^a-zA-Z0-9_\-]+/", 
                  "", 
                  $username); 
       $_SESSION['username'] = $username; 
       $_SESSION['login_string'] = hash('sha512', 
          $password . $user_browser); 
       // Login successful. 
       return true; 
      } else { 
       // Password is not correct 
       // We record this attempt in the database 
       $now = time(); 
       $mysqli->query("INSERT INTO login_attempts(user_id, time) 
           VALUES ('$user_id', '$now')"); 
       $_SESSION['temp'] = "Invalid password. ";// . $username . " " . $password . " " . $db_password;     
       return false; 
      } 
     } 
    } else { 
     $_SESSION['temp'] = "User not Found."; 
     // No user exists. 
     return false; 
    } 
} 
} 

這裏是SHA值我來自同一個用戶名/密碼了： 桌面（這讓我登錄正確）：091b2e6cda1e1ee4de89b1164703a238021fa6c092551cfea2c967051bd01f3992dbe160bbc25a14694f119a819b88534b21d0f7c8da9c80bb8c06a79f75074c

從我的Android手機（無效密碼返回）：20036264d5fccd56658e45364112ae0e3356878d84150aa817e049a288aa491b88fab9384df71a3aae7e3d0145acd3dc5608030961181b1bf8336e6019824daf

我使用JavaScript SHA512功能可以在這裏找到：http://pajhome.org.uk/crypt/md5

Answer 1

我相信這種異常是因爲字符表示的。在不同的操作系統，瀏覽器和設備中，表示可能不同。在計算摘要之前，嘗試將密碼轉換爲通用格式，例如UNICODE。

在php中，您可以使用utf8_encode()函數。

在JavaScript

function encode_utf8(s) { 
    return unescape(encodeURIComponent(s)); 
} 

function decode_utf8(s) { 
    return decodeURIComponent(escape(s)); 
}