如何从数据库和身份验证用户撤回加盐的密码?
这是我的第一个试用版,目的是实现使用含盐密码的成员站点,这些盐都存储在数据库(MySQL)中。一切正常,除了“会员登录”页面中的错误。
错误: 会员登录页面接受对会员网站的任何输入,并且由于某种原因通过了我的检查$result === false
这是用于检查成员是否存在的代码,请让我知道问题是什么:
$servername = 'localhost'; $username = 'root'; $pwd = ''; $dbname = 'lp001';
$connect = new mysqli($servername,$username,$pwd,$dbname);
if ($connect->connect_error){ die('connection failed, reason: '.$connect->connect_error); }
$name = mysqli_real_escape_string($connect, $_POST['name']); $password = mysqli_real_escape_string($connect, $_POST['password']); $saltQuery = "SELECT salt FROM users WHERE name = '$name';"; $result = mysqli_query($connect, $saltQuery); if ($result === false){ die(mysqli_error()); } $row = mysqli_fetch_assoc($result); $salt = $row['salt'];
$saltedPW = $password.$salt; $hashedPW = hash('sha256', $saltedPW); $sqlQuery = "SELECT * FROM users WHERE name = '$name' AND password = '$hashedPW'";
if (mysqli_query($connect, $sqlQuery)){ echo '
Welcome to the member site '.$name.'
'; }else{ echo 'error adding the query: '.$sql_q.'Reason: '.mysqli_error($connect); }
写回答
-
开发人员通常会为验证登录密码而感到困惑,因为他们不确定如何处理存储的密码哈希。他们知道应该使用合适的函数(例如password_hash())对密码进行哈希处理,并将其存储在varchar(255)字段中:
// Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT); 在登录表单中,我们无法直接使用SQL验证密码,也无法搜索密码,因为存储的哈希值是固定的。相反,我们...
必须从数据库中读取密码哈希,并通过用户标识进行搜索 然后可以使用password_verify()函数对照找到的哈希值检查登录密码。 您可以在下面找到一些示例代码,其中显示了如何通过mysqli连接进行密码验证。该代码没有错误检查使其可读:
/** * mysqli example for a login with a stored password-hash */ $mysqli = new mysqli($dbHost, $dbUser, $dbPassword, $dbName); $mysqli->set_charset('utf8');
// Find the stored password hash in the db, searching by username $sql = 'SELECT password FROM users WHERE username = ?'; $stmt = $mysqli->prepare($sql); $stmt->bind_param('s', $_POST['username']); // it is safe to pass the user input unescaped $stmt->execute();
// If this user exists, fetch the password-hash and check it $isPasswordCorrect = false; $stmt->bind_result($hashFromDb); if ($stmt->fetch() === true) { // Check whether the entered password matches the stored hash. // The salt and the cost factor will be extracted from $hashFromDb. $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb); } 请注意,该示例使用预处理语句来避免SQL注入,在这种情况下,不必转义。从pdo连接读取的等效示例如下所示:
/** * pdo example for a login with a stored password-hash */ $dsn = "mysql:host=$dbHost;dbname=$dbName;charset=utf8"; $pdo = new PDO($dsn, $dbUser, $dbPassword);
// Find the stored password hash in the db, searching by username $sql = 'SELECT password FROM users WHERE username = ?'; $stmt = $pdo->prepare($sql); $stmt->bindValue(1, $_POST['username'], PDO::PARAM_STR); // it is safe to pass the user input unescaped $stmt->execute();
// If this user exists, fetch the password hash and check it $isPasswordCorrect = false; if (($row = $stmt->fetch(PDO::FETCH_ASSOC)) !== false) { $hashFromDb = $row['password'];
// Check whether the entered password matches the stored hash. // The salt and the cost factor will be extracted from $hashFromDb. $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb); }来源:stack overflow
2020-05-11 13:34:28赞同 展开评论 打赏
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
