【发布时间】:2014-09-29 14:29:57
【问题描述】:
我尝试使用两种不同的包装器,即password_compat 和Bcrypt,来加密我的密码。哈希保存得很好,但检查比较从不匹配。
我使用以下代码来存储散列密码:
//include ( "Bcrypt.php" );
include ( "password_compat-master/lib/password.php" );
if ( isset ( $_POST["username"] ) and isset ( $_POST["email"] ) and isset ( $_POST["password"] ) )
{
$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
//$hash = Bcrypt::hash( $password );
$hash = password_hash( $password , PASSWORD_BCRYPT ); //password_compat function
$connect = mysqli_connect( "server" , "user", "pass" , "database" );
//Code to generate next database key ($next)
$sql_insert = "INSERT INTO `use_users` (`UserID`,`Username`,`Password`,`EmailAddress`) VALUES('$next','$username','$hash','$email');";
$res_insert = $connect -> query( $sql_insert );
}
并且我使用以下代码来验证密码(我知道可能存在 SQL 注入!):
//include ( "Bcrypt.php" );
include ( "password_compat-master/lib/password.php" );
if ( isset ( $_POST["username"] ) and isset ( $_POST["password"] ) )
{
$username = $_POST["username"];
$password = $_POST["password"];
$connect = mysqli_connect( "server" , "user", "pass" , "database" );
$sql_verify = "SELECT * FROM `use_users` WHERE `Username`='$username';";
$res_verify = $connect -> query( $sql_verify );
while ( $exe_verify = mysqli_fetch_array( $res_verify ) )
{
$hash = $exe_verify["Password"];
//$check = Bcrypt::check( $password , $hash );
$check = password_verify( $password , $hash ); //password_compat function
if ( $check ) echo "Pass.";
else if ( ! $check ) echo "Fail.";
}
}
当我编写自己的哈希检查 (crypt( $password, $hash)) 时,它返回的哈希值与存储的哈希值相同,但附加了其他字符。
我做错了什么?它是 MySQL 的东西吗?
【问题讨论】:
-
求求你了,@sectus!?
-
听不懂你。只需显示
create table的use_users表 -
从安全角度来看有问题:您没有任何salt。我怀疑这个 password_compat。
标签: php mysql hash mysqli bcrypt