可以從MySQL數據庫db

Question

獲得用戶名和密碼匹配，因爲標題暗示我可以在嘗試從我的數據庫檢索用戶時獲得密碼和用戶名的匹配。 當我第一次創建一個用戶我用這個方法還散列密碼：

mysql_select_db($user); 
$username = $_REQUEST['username']; 
$password = $_REQUEST['password']; 
function hash_password($password1, $username1) { 
    return hash_hmac('sha512', $password1 . $username1, $site_key); 
} 
$sql=mysql_query("INSERT INTO _SCD_BACKUP_USERS (username, password) 
VALUES ('".$username."','".hash_password($password, $username)."')"); 
$r=mysql_query($sql); 
if(!$r)echo "Error in query: ".mysql_error(); 
mysql_close();` 

這似乎做工精細！爲了得到我想要的數據庫。當我檢索信息時，我無法使用此代碼獲得匹配：

$username = $_REQUEST['username']; 
$password = $_REQUEST['password']; 
function hash_password($password1, $username1) { 
    return hash_hmac('sha512', $password1 . $username1, $site_key); 
} 
$encrypted = hash_password($username, $password); 
$sql = 'SELECT username FROM _SCD_BACKUP_USERS WHERE username = ? AND password = ?'; 
$result = $db -> query($sql, array($username, $encrypted)); 
if ($result -> numRows() < 1) { 
    $arr = array('same' => true); 
} else { 
    $arr = array('same' => false); 
} 
print(json_encode($arr)); 
mysql_close(); 

有什麼建議嗎？

//安德烈

Answer 1

參數是向後

$encrypted = hash_password($username, $password); 

應該

$encrypted = hash_password($password, $username);