使用 CRYPT_BLOWFISH 后匹配密码

Question

我已经成功创建了我的密码，并正在使用 CRYPT_BLOWFISH 将它们插入到数据库中。但是我不知道如何将数据库中的加密密码与用户输入登录的密码相匹配。非常感谢任何帮助。

从我使用的用户输入生成密码：

注册.PHP

//If there are no errors or returned_records and the form is submitted let's submit the info and register the user
else if(!$error_msg && !$returned_record && $_POST['register']){
    //Place the newly hased/encrypted password into our new_password variable
    function generateHash($password_1){
    if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
        $salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
        return crypt($password_1, $salt);
     }//End If
    }//End Function genrateHash*/                   
    $new_password = generateHash($password_1);  
    $pass = $new_password;

    //Build our query
   $sql = ("INSERT INTO members (username, email, password_1) VALUES (?,?,?)");
    //Prepare our query
    $stmt = $mysqli->prepare($sql) or die("Failed Execution");
    //Bind the fields and there paramters to our query
    $stmt->bind_param('sss', $username, $email, $new_password);
    //Execute the query
    $stmt->execute();
    echo $stmt->error;
    header('Location: http://www.yourschoolsincanada.com/english/register/registration-success/');
    exit();
}

登录.PHP

if(isset($_POST['login'])){
$username = $_POST['username'];
$password_1 = $_POST['password_1'];

$sql = "SELECT member_id, username, password_1 FROM members WHERE username = ? AND password_1 = ? LIMIT 1";
//Prepare our query
if($stmt = $mysqli->prepare($sql)){
    //Bind the Parameters to the query
    $stmt->bind_param('ss', $username, $password_1);

    //Execute the query
    $result = $stmt->execute();
    /*Store our result to get properties*/
    $stmt->store_result();          
    //Get the number of rows
    $num_of_rows = $stmt->num_rows;     

    //Bind the results of what the query gave us to our three variables
    $stmt->bind_result($id, $username, $password_1);


    if(crypt($password_1, $pass) == $pass){
        echo "Match";
    }
    else{
        echo "Passwords don't match";
    }   
}

Answer 1

工作演示

我已经完成了以下工作。 HTML 表单和 PHP 都在同一个页面内运行。

<?php
DEFINE ('DB_USER', 'xxx');
DEFINE ('DB_PASSWORD', 'xxx');  
DEFINE ('DB_HOST', 'xxx');
DEFINE ('DB_NAME', 'xxx');

$mysqli = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) 
OR die("could not connect");

if(isset($_POST['login'])){

    $username = htmlentities(trim($_POST['username']));
    $username = mysqli_real_escape_string($mysqli, $username);
    $password = trim($_POST['password']);
    $query = mysqli_query($mysqli, "SELECT username, password_1 FROM members WHERE username = '$username'");
    $row = mysqli_fetch_assoc($query);
    $numrows = mysqli_num_rows($query);
    $dbuser = $row['username'];
    $dbpass = $row['password_1'];
    $hashed_password = crypt($password, $dbpass);

// var_dump($dbuser); // For testing purposes only, can be removed
echo "<hr>";
// var_dump($dbpass); // For testing purposes only, can be removed

    if( ($username == '') || ($password == '') ) {
        $error_string = '<font color=red>You have left either the username or password field blank!</font>';
echo $error_string;
        }
    if ($numrows == 0)
    {
        $error_string = '<font color=red>No username can be found!</font>';

echo $error_string;

        }
    else if ($numrows == 1)
    {

if ($hashed_password == $dbpass)
       {
       $error_string = '<font color=red>Details checked out</font>';

echo $error_string;

       }
    }
    else {
            $error_string = '<font color=red>There was an error. Please contact an Admin</font>';
echo "SORRY Charlie!";
    }

 } // brace for isset login
?>

<form action="" method="post">
Username: 
<input type="text" name="username">
<br>
Password: 
<input type="text" name="password">
<br>
<input type="submit" name="login" value="Submit">
</form>

---

原答案

以下内容应该可以工作，因为我在同一个文件中使用以下内容获得了“ma​​tch”。

阅读代码里面的cmets。

<?php
$password_1 = "1234567890"; // User-entered password

function generateHash($password_1){
    if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
       $salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
    return crypt($password_1, $salt);
    }
} 


// Remove the echo. For testing purposes only
echo $new_password = generateHash($password_1);

$pass = $new_password;

echo "<br>";
echo $pass;
echo "<hr>";

// Verify that the password matches and use in your login page
// Syntax: if(crypt($password_entered, $password_hash) == $password_hash)

    if(crypt($password_1,$pass) == $pass) {

    // password is correct
    echo "Match.";

    }

else {
echo "No match.";
}

---

编辑

密码生成器：

<?php
$password_1 = "1234567890"; // User-entered generated password
// or from a form
// $password_1 = $_POST['password']; // User-entered generated password

function generateHash($password_1){
    if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
       $salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
    return crypt($password_1, $salt);
    }
} 

// here you can enter the password into DB
// since we have a successful echo
// Remove the echo. For testing purposes only
echo $new_password = generateHash($password_1);

$pass = $new_password;

echo "<br>";
echo $pass;
echo "<hr>";

登录检查：

$password_1 = $_POST['password']; // User-entered password

// DB codes example:
$query = mysqli_query($con, "SELECT password FROM users WHERE password='".$password_1."'");

// Verify that the password matches and use in your login page
// Syntax: if(crypt($password_entered, $password_hash) == $password_hash)

    if(crypt($password_1,$pass) == $pass) {

    // password is correct
    echo "Match.";

    }

else {
echo "No match.";
}