带有散列密码的代码 php 无法工作

【问题标题】:code php with hashed password couldn't work带有散列密码的代码 php 无法工作
【发布时间】:2016-06-13 17:52:45
【问题描述】:

我想创建一个网页,用户在其中输入登录名和密码,他将被重定向到另一个网页。

登录名和密码由管理员提供,密码应经过哈希处理。 我尝试使用我在互联网上找到的代码(我做了一些更改)但它对我不起作用(我认为原因是散列密码)请告诉我问题出在哪里。

所用代码的链接:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

(目前我已经在数据库中插入了一行,其中包含示例中提到的登录名和密码)

我用示例中给出的密码测试了我的代码:

登录:login1 密码:6ZaxN2Vzm9NUJT2y 为了能够以该用户身份登录,您需要的代码是:

INSERT INTO enquete 987654323 @值(1, 'test_user',login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef'); P>

Login.html 页面:

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8 " />
    <title>Log In</title>
    <script type="text/JavaScript" src="./sha512.js"></script> 
    <script type="text/JavaScript" src="./forms.js"></script> 
</head>
<body>
    <?php 
        if(isset($_GET['error'])) { 
            echo 'Error Logging In!'; 
        } 
    ?> 
    <form action="process_login.php" method="post" name="login_form"> 
        Email: <input type="text" name="LoginEtab" />
        Password: <input type="text"  name="PwdEtab"    id="PwdEtab"/>
        <input type="button"   value="Login" onclick="formhash(this.form, this.form.PwdEtab);" /> 
    </form>
</body>

</html>

Forms.js 页面:

 function formhash(form, PwdEtab) {
  // Create a new element input, this will be our hashed password field.
  var p = document.createElement("input");

  // Add the new element to our form.
   form.appendChild(p);
   p.name = "p";
   p.type = "hidden";
  p.value = hex_sha512(PwdEtab.value);

    // Make sure the plaintext password doesn't get sent.
    p.value = "";

// Finally submit the form.
form.submit();
}

process_login.php 页面:

 <?php
 include 'db_connect.php';
 include 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.


 if (isset($_POST['LoginEtab'], $_POST['p'])) {
  $LoginEtab = $_POST['LoginEtab'];
  $PwdEtab = $_POST['p']; // The hashed password.

   if (login($LoginEtab, $PwdEtab, $mysqli) == true) 
 {
    // Login success
    header('Location: ./protected_page.html');
 } else {
    // Login failed
    header('Location: ./index.php?error=1');
}
} else {
  // The correct POST variables were not sent to this page.
   echo 'Invalid Request';

}
 ?>

functions.php 页面:

  <?php

   include 'psl-config.php';

   function sec_session_start() {
     $session_name = 'MyOwnsession';   // Set a custom session name
     $secure = SECURE;

     // This stops JavaScript being able to access the session id.
   $httponly = true;

     // Forces sessions to only use cookies.
      ini_set('session.use_only_cookies', 1);

     // Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
                $cookieParams["path"],
                $cookieParams["domain"],
                $secure,
                $httponly);

    // Sets the session name to the one set above.
     session_name($session_name);

     session_start();            // Start the PHP session
     session_regenerate_id();    // regenerated the session, delete the old one.
  }



 function login($LoginEtab, $PwdEtab, $mysqli) {

    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT IDEtablissement , LoginEtab, PwdEtab, salt FROM etablissement WHERE LoginEtab = ? LIMIT 1"))
 {
       $stmt->bind_param('s', $LoginEtab);  // Bind "$email" to parameter.
       $stmt->execute();    // Execute the prepared query.
       $stmt->store_result();

       // get variables from result.
       $stmt->bind_result($db_IDEtablissement, $db_LoginEtab, $db_PwdEtab, $salt);
       $stmt->fetch();

         // hash the password with the unique salt.
         $PwdEtab = hash('sha512', $PwdEtab . $salt);
        if ($stmt->num_rows == 1) {
          // If the user exists we check if the account is locked
         // from too many login attempts
                 echo"text";
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_PwdEtab == $PwdEtab) {
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $db_IDEtablissement = preg_replace("/[^0-9]+/", "", $db_IDEtablissement);
                $_SESSION['db_IDEtablissement'] = $db_IDEtablissement;

                // XSS protection as we might print this value
                $db_LoginEtab = preg_replace("/[^a-zA-Z0-9_\-]+/","",$db_LoginEtab);

                $_SESSION['db_LoginEtab'] = $db_LoginEtab;
                $_SESSION['login_string'] = hash('sha512',$PwdEtab .$user_browser);

                // Login successful.
                  return true;
    echo"false2";
            } else {
                // Password is not correct
                // We record this attempt in the database
                $now = time();
               echo"false1";


              }
         }
      } else {
        // No user exists.
        return false;
        echo"false";
        }

 }

 ?>

db_connect.php 页面

<?php
 include 'psl-config.php';   // Needed because functions.php is not included

 $mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);

?>

psl-config.php' 页面:

 <?php
 /**
* These are the database login details
  */
 define("HOST", "localhost");           // The host you want to connect to.
 define("USER", "root");            // The database username.
 define("PASSWORD", "");    // The database password.
 define("DATABASE", "enquete");     // The database name.
 define("SECURE", FALSE);

 ?>

更新: 我总是被重定向到索引页面:header('Location: ./index.php?error=1');

appach 日志是:

[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant HOST already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant USER already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant PASSWORD already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant DATABASE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant SECURE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 18, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:18, referer: http://localhost/loginSecurity/login.html

更新 我发现问题出在哪里 :) 我必须添加到我的代码中

 $PwdEtab = hash('sha512', $PwdEtab );

在登录函数中加盐的哈希之前

【问题讨论】:

  • 你能把测试的输出和错误日志贴出来
  • php 日志为空,我刚刚找到了 appach 日志

标签: javascript php html database hash


【解决方案1】:

您将文件psl-config.php 包含两次,如果需要,请尝试include_once 而不是include

****** EDIT ******

让我们开始吧。

首先,散列一个新密码:

include_once 'psl-config.php';

$user = 'admin';
$pass = '123';
$token = 'test';
$password = hash('sha512', $pass . $token);

$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("UPDATE etablissement SET LoginEtab = '{$user}', PwdEtab = '{$password}', salt = '{$token}' WHERE IDEtablissement = 1");
$stmt->execute();

然后,改变你的形式:

<form action="process_login.php" method="post" name="login_form">
    Email: <input type="text" name="LoginEtab" value="admin"/>
    <br><br>
    Password: <input type="text" name="PwdEtab" id="PwdEtab" value="123"/>
    <br><br>
    <input type="submit" value="Login"/>
</form>

现在更改process_login.php

<?php

include_once 'db_connect.php';
include_once 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.

if (isset($_POST['LoginEtab'])) { //<======CHANGE HERE

    $LoginEtab = $_POST['LoginEtab'];
    $PwdEtab = $_POST['PwdEtab']; // The hashed password. //<======AND HERE

    if (login($LoginEtab, $PwdEtab, $mysqli) == true) {
        // Login success
        header('Location: ./protected_page.html');
    } else {
        // Login failed
        header('Location: ./index.php?error=1');
    }
} else {
    // The correct POST variables were not sent to this page.
    echo 'Invalid Request';
}

然后瞧。

【讨论】:

  • 谢谢我已经添加了include_once,但我的问题总是给出的密码和数据库中的密码不同
  • 看,我已经试过你的代码,它工作正常,包括重定向到登录页面。我认为您不需要在视图上对密码进行哈希处理,尝试仅在php上进行控制,然后您可以删除form.jssha512.js。要制作加密密码,请使用hash('sha512', $anypass.$anytoken);并存储结果和令牌到数据库。
  • 我为什么要更新我的数据库?我只想比较数据库中已经存在的登录名和密码?我已删除 form.js 并仅使用 php 并添加了一次包含
  • 您不需要更新您的密码,但您需要确保您的数据库密码已正确散列
【解决方案2】:

更新我发现问题出在哪里:) 我必须添加到我的代码中

$PwdEtab = hash('sha512', $PwdEtab );

在登录函数中带盐的哈希之前 最后它对我有用:)

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2015-08-13
    • 2012-05-30
    • 1970-01-01
    • 2019-02-15
    • 2011-04-06
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode