【问题标题】:Checking sha1 against stored sha1 password根据存储的 sha1 密码检查 sha1
【发布时间】:2014-08-16 16:52:38
【问题描述】:

我正在使用 sha1 对密码进行哈希处理,并且它已成功将其存储在数据库中,但是我似乎无法正确检查 sha1 是否与数据库中的密码匹配。我已经尝试了以下代码的许多不同迭代,但似乎没有任何效果 - 我错过了什么?

注册

<?php 

$username = $_POST['username'];

$password = $_POST['password'];
$passwordEncrypted = sha1($password);

try {   

    $result = $db->prepare("INSERT INTO 
                            user_info 
                            SET 
                            username = :user,
                            pass = :pass
                            ");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $passwordEncrypted);
    $result->execute();
}

catch (Exception $e) {
    echo "Could not create username";
}

if (isset($_POST['submit'])) { 
    foreach ($_POST as $field) {
        if (empty($field)) {
            $fail = true;
        }
        else {
            $continue = false;
        }
    }
    if ($field == $fail) {
        echo "You must enter a username and/or password";
    }
    else {
        echo "Your account has been successfully created.";
    }
}

?>

登录

<?php 

$username = $_POST['username'];          
$password = $_POST['password'];

$encryptedPassword = sha1($password);

try {   

$result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
$result->bindParam(':user', $username);
$result->bindParam(':pass', $password);
$result->execute();
$rows = $result->fetch(PDO::FETCH_NUM);
}

catch (Exception $e) {
echo "Could not retrieve data from database";
exit();
}

if ($rows) {
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['loggedin'] = true;
include("inc/redirect.php");

} else {
if (isset($_POST['login'])) {
    echo "Username or password incorrect (passwords are case sensitive)";
}
}

?>

【问题讨论】:

  • 你必须在两边都做同样的事情——你的验证不会调用sha1
  • 在打开连接后立即添加$db-&gt;setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);,如果您还没有这样做的话。

标签: php mysql passwords sha1


【解决方案1】:

您需要在查询表之前对密码进行哈希处理,而不是事后:

<?php 

$username = $_POST['username'];          
$password = $_POST['password'];
$passwordEncrypted = sha1($password);

try {   

    $result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $passwordEncrypted);
    $result->execute();

    if ($result->fetch(PDO::FETCH_NUM)) {
        session_start();
        $_SESSION['username'] = $_POST['username'];
        $_SESSION['loggedin'] = true;
        include("inc/redirect.php");

    } else {
        if (isset($_POST['login'])) {
            echo "Username or password incorrect (passwords are case sensitive)";
        }
    }
}

catch (Exception $e) {
    echo "Could not retrieve data from database";
    exit();
}

?>

【讨论】:

  • 这会引发错误,我必须将sha1($password) 存储在一个变量中,但即便如此,代码也不起作用。
  • Strict Standards: Only variables should be passed by reference in /home/maver08/public_html/design/inc/users.database.php on line 11
  • 所以我做了$encryptedPassword = sha1($password); 并将$encryptedPassword 传递给:pass - 但不幸的是仍然无法正常工作
  • 使用变量时会发生什么?
  • @NikkiMather 不客气。我总是将密码字段设置为255。做50 不会有伤害 ;-)
猜你喜欢
  • 2012-10-18
  • 2011-03-03
  • 1970-01-01
  • 2017-12-29
  • 2012-06-26
  • 1970-01-01
  • 2021-07-03
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多