2014-04-18 181 views
0

我無法編寫與我的註冊腳本配合使用的登錄腳本。密碼和鹽不匹配

register.php

$username = $_POST['signupEmail']; 
$password = $_POST['signupPassword']; 
$gender = $_POST['signupGender']; 
$country = $_POST['signupCountry']; 

$salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); 
$password = hash('sha512', $password . $salt); 
$query = mysqli_query($con, "INSERT INTO sh_users (username, password, salt, gender, country) Values ('" . $username . "' , '" . $password . "' , '" . $salt . "' , '" . $gender . "' , '" . $country . "')") or die(mysqli_error($con)); 

這工作沒有任何問題 - 數據庫中的所有值。

的login.php

$query = "SELECT * 
     FROM sh_users 
     WHERE username = '$username';"; 

$result = mysqli_query($con, $query); 

$userData = mysqli_fetch_array($result, MYSQL_ASSOC); 
$salt = $userData['salt']; 

$hash = hash('sha512', $password . $salt); 

if ($hash != $userData['password']) 
{ 
    echo "Incorrect email or password"; 
} 
else 
{ 
    echo "success"; 
} 

如果我贊同回聲$password那麼它同我輸入(是的,我使用的是正確的密碼)。同樣,$salt與數據庫中的內容匹配。但是,儘管我在兩個腳本中都使用了相同的哈希方法,但$hash仍然會產生流氓結果。

我哪裏錯了?

UPDATE

問題是,當我在register.php頂部var_dump()它是$_POST['signupPassword']被返回null。

奇怪的是,傾銷$_POST['signupPassword2']出來很好,但我想了解兩者之間的差異。

這是我的表單(我以爲我第一次發佈,表示歉意)。

<form id="signup-form" action="" method="POST"> 
    <input name="signupEmail" type="email" class="form-control" id="signupEmail" placeholder="Email address"> 
    <input name="signupPassword" type="password" class="form-control" id="signupPassword" placeholder="Password"> 
    <input name="signupPassword2" type="password" class="form-control" id="signupPassword2" placeholder="Password"> 
    <select name="signupCountry" id="signupCountry" class="selectpicker"> 
     <option value="0">Country</option> 
     <option value="United States">United States</option> 
     <option value="United Kingdom">United Kingdom</option> 
     <option>Canada</option> 
    </select> 
    <select name="signupGender" id="signupGender" class="selectpicker"> 
     <option value="0">Gender</option> 
     <option value="f">Female</option> 
     <option value="m">Male</option> 
    </select> 
    <button id="signup" class="btn btn-success btn-block signup" type="submit">Sign up</button> 
</form> 
+1

你會推薦我做什麼呢? – Sebastian

+2

@Sebastian請忽略kingkero的評論。他是錯的。你應該做的就是轉儲你正在使用var_dump()的所有變量。做到這一點爲$鹽和$密碼,看看他們是否真的是他們應該是。另外請確保您的數據庫字段不會截斷您的密碼或鹽,並確保數據庫中的值實際上應該是。更好的是,在將變量插入到數據庫之前轉儲變量,並將它們與您在login.php中從數據庫中獲取的變量進行比較。有些東西告訴我他們不會匹配。 – Marius

+0

任何散列的單輪不再被認爲是存儲密碼的安全方法。見前面的問題http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php和http://stackoverflow.com/questions/1581610/how-can -i-store-my-users-passwords-安全地獲取關於在PHP中安全地存儲密碼的標準方法的信息。 –

回答

0

register.php

$username = $_POST['signupEmail']; 
$password = $_POST['signupPassword']; 
$gender = $_POST['signupGender']; 
$country = $_POST['signupCountry']; 

$salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); 
$password_hashed = hash('sha512', $password . $salt); //i changed var name, because, name var name? this gives a conflit if vars are equal 
$query = mysqli_query($con, "INSERT INTO sh_users (username, password, salt, gender, country) Values ('" . $username . "' , '" . $password_hashed . "' , '" . $salt . "' , '" . $gender . "' , '" . $country . "')") or die(mysqli_error($con)); 

的login.php

$query = "SELECT * 
     FROM sh_users 
     WHERE username = '$username';"; 

$result = mysqli_query($con, $query); 
$row_result = mysqli_fetch_assoc($result); //this will work, not the code that you had, if mysqli_fetch_assoc is not correctly write, sorry, but i think that is it 
$salt = $row_result['salt']; 

$hash = hash('sha512', $password . $salt); 

if ($hash != $userData['password']) 
{ 
    echo "Incorrect email or password"; 
} 
else 
{ 
    echo "success"; 
} 

如果mysqli的,爲什麼你把MYSQL_ASSOC? 使用上面的代碼登錄 的形式:

<form id="signup-form" action="" method="POST"> 
    <input name="signupEmail" type="email" class="form-control" id="signupEmail" placeholder="Email address"> 
    <input name="signupPassword" type="password" class="form-control" id="signupPassword" placeholder="Password"> 
    <select name="signupCountry" id="signupCountry" class="selectpicker"> 
     <option value="0">Country</option> 
     <option value="United States">United States</option> 
     <option value="United Kingdom">United Kingdom</option> 
     <option>Canada</option> 
    </select> 
    <select name="signupGender" id="signupGender" class="selectpicker"> 
     <option value="0">Gender</option> 
     <option value="f">Female</option> 
     <option value="m">Male</option> 
    </select> 
    <button id="signup" class="btn btn-success btn-block signup" type="submit">Sign up</button> 
</form> 

其無一不絲毫錯誤的形式,但不要用var_dump(),我曾與瓦爾幾個錯誤。