开发者社区> 问答> 正文

如何从数据库和身份验证用户撤回加盐的密码?

这是我的第一个试用版,目的是实现使用含盐密码的成员站点,这些盐都存储在数据库(MySQL)中。一切正常,除了“会员登录”页面中的错误。

错误: 会员登录页面接受对会员网站的任何输入,并且由于某种原因通过了我的检查$result === false

这是用于检查成员是否存在的代码,请让我知道问题是什么:

$servername = 'localhost'; $username = 'root'; $pwd = ''; $dbname = 'lp001';

$connect = new mysqli($servername,$username,$pwd,$dbname);

if ($connect->connect_error){ die('connection failed, reason: '.$connect->connect_error); }

$name = mysqli_real_escape_string($connect, $_POST['name']); $password = mysqli_real_escape_string($connect, $_POST['password']); $saltQuery = "SELECT salt FROM users WHERE name = '$name';"; $result = mysqli_query($connect, $saltQuery); if ($result === false){ die(mysqli_error()); } $row = mysqli_fetch_assoc($result); $salt = $row['salt'];

$saltedPW = $password.$salt; $hashedPW = hash('sha256', $saltedPW); $sqlQuery = "SELECT * FROM users WHERE name = '$name' AND password = '$hashedPW'";

if (mysqli_query($connect, $sqlQuery)){ echo '

Welcome to the member site '.$name.'

'; }else{ echo 'error adding the query: '.$sql_q.'
Reason: '.mysqli_error($connect); }

展开
收起
保持可爱mmm 2020-05-11 11:51:50 601 0
1 条回答
写回答
取消 提交回答
  • 开发人员通常会为验证登录密码而感到困惑,因为他们不确定如何处理存储的密码哈希。他们知道应该使用合适的函数(例如password_hash())对密码进行哈希处理,并将其存储在varchar(255)字段中:

    // Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT); 在登录表单中,我们无法直接使用SQL验证密码,也无法搜索密码,因为存储的哈希值是固定的。相反,我们...

    必须从数据库中读取密码哈希,并通过用户标识进行搜索 然后可以使用password_verify()函数对照找到的哈希值检查登录密码。 您可以在下面找到一些示例代码,其中显示了如何通过mysqli连接进行密码验证。该代码没有错误检查使其可读:

    /** * mysqli example for a login with a stored password-hash */ $mysqli = new mysqli($dbHost, $dbUser, $dbPassword, $dbName); $mysqli->set_charset('utf8');

    // Find the stored password hash in the db, searching by username $sql = 'SELECT password FROM users WHERE username = ?'; $stmt = $mysqli->prepare($sql); $stmt->bind_param('s', $_POST['username']); // it is safe to pass the user input unescaped $stmt->execute();

    // If this user exists, fetch the password-hash and check it $isPasswordCorrect = false; $stmt->bind_result($hashFromDb); if ($stmt->fetch() === true) { // Check whether the entered password matches the stored hash. // The salt and the cost factor will be extracted from $hashFromDb. $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb); } 请注意,该示例使用预处理语句来避免SQL注入,在这种情况下,不必转义。从pdo连接读取的等效示例如下所示:

    /** * pdo example for a login with a stored password-hash */ $dsn = "mysql:host=$dbHost;dbname=$dbName;charset=utf8"; $pdo = new PDO($dsn, $dbUser, $dbPassword);

    // Find the stored password hash in the db, searching by username $sql = 'SELECT password FROM users WHERE username = ?'; $stmt = $pdo->prepare($sql); $stmt->bindValue(1, $_POST['username'], PDO::PARAM_STR); // it is safe to pass the user input unescaped $stmt->execute();

    // If this user exists, fetch the password hash and check it $isPasswordCorrect = false; if (($row = $stmt->fetch(PDO::FETCH_ASSOC)) !== false) { $hashFromDb = $row['password'];

    // Check whether the entered password matches the stored hash. // The salt and the cost factor will be extracted from $hashFromDb. $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb); }来源:stack overflow

    2020-05-11 13:34:28
    赞同 展开评论 打赏
问答排行榜
最热
最新

相关电子书

更多
2022 DTCC-阿里云一站式数据库上云最佳实践 立即下载
云时代的数据库技术趋势 立即下载
超大型金融机构国产数据库全面迁移成功实践 立即下载