【发布时间】:2011-05-15 23:53:43
【问题描述】:
以现有教程为基础,使用 salt 实现基本的用户注册 + 登录系统。目前我将其用于注册阶段:
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
$newpass = generateHash($_POST['newpass']);
followed by:
$sql = "INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass'), ... etc"
这很好用。
我现在想比较输入密码以检查是否相等(在单独的访问控制文件中):
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt)
{
$salt = substr($salt, 0, SALT_LENGTH);
return $salt . sha1($salt . $plainText);
}
$sql = "SELECT password FROM user WHERE
userid = '$uid'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
$comparepwd = generateHash($pwd, $row['password']);
if (mysql_num_rows($result) == 0 || $comparepwd != $row['password']) {
//access denied, unset session variables
}
原则上我认为这应该可行。我对 PHP/MySQL 还很陌生,所以如果您能就它为什么不起作用提出建议,我将不胜感激。非常感谢!
编辑:刚刚意识到,是因为
INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass')
PASSWORD('$newpass') 对 MySQL 有进一步的处理吗?
【问题讨论】:
标签: php authentication sha1 salt