密码哈希在php注册和登录不工作

Question

我在注册时使用密码盐来哈希用户的密码，也使用登录相同的方法，但它总是显示我不正确的密码，请有人可以告诉我什么是错误。 如果我删除密码salt它将工作正常，但我需要确保密码。

这里是我的注册码

<?php 

include($root . 'database_connection.php'); 
if (isset($_POST['formsubmitted'])) { 
    $username = $_POST['username']; //else assign it a variable 
    $email = $_POST['email']; 
    $password = $_POST['password']; 

     $salt = "@g26jQsG&nh*&#8v"; 
     $passcode = sha1($password.$salt); 
     $name = $username; 
     $pass = $passcode; 
     $mail = $email; 
     $query_insert_user = "INSERT INTO `users` (`username`, `password`, `email`, `active`) VALUES ('$name', '$pass', '$mail', '$numbers')"; 

      $result_insert_user = mysqli_query($db_conn, $query_insert_user); 
      if (!$result_insert_user) { 
       echo 'Query Failed '; 
      } 

    mysqli_close($db_conn); //Close the DB Connection 

} // End of the main Submit conditional. 

?> 

登录页面

<?php 

     if ($_POST) { 

      $salt = "@g26jQsG&nh*&#8v"; 
      $password = sha1($_POST['password'].$salt); 

      $logdb = new PDO('mysql:host=localhost;dbname=userdb', 'root', 'pass'); 
      $logdb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
      $stmt = $logdb->prepare("SELECT * FROM users WHERE username=:username AND password=:password"); 
      $stmt->bindParam(":username", $_POST['username']); 
      $stmt->bindParam(":password", $password); 
      $stmt->execute(); 

     $atributes = $stmt->fetch(PDO::FETCH_OBJ); 
     if ($atributes) { 
      session_start(); 

      $username = $atributes->username; 
      $_SESSION['username'] = $username; 
      $active = $atributes->active; 
      $email = $atributes->email; 
    if($active==0){ 
    echo '<table><td width="50px" valign="top"><i class="fa fa-ban mail2"></i></td><td><div>Authentication Error! Your account is not verified please verify your email.<br/> 
    <small>Need more help? Please contact the systems administrator.</small></div></td></table>';} 
    else{ 
      header("location: index.php"); 
    } 

      } else { 
      header("location: login.php?else=0&n"); 
       //incorrect 
      } 

     } 

      else { 
     header("location: login.php?false=1&n"); 
       echo '<form name="login" action="" method="POST"> 
      Username: <br /> 
      <input type="text" name="username"/><br /> 
      Password: <br /> 
      <input type="password" name="password"/><br /> 
      <button type="submit">Login</button> 
      <a href="signup.php">Register</a></form>'; 


      } 
     $logdb=null; 
    ?> 

Answer 1

PHP提供的密码哈希和验证的本地支持。请使用password_hash()功能，因为它更安全，易于使用。它可以选择使用盐。

请参阅

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

SHA1是一个妥协的算法，如果任何人知道你的盐，他就能破密码。

注册码将改变：在注册过程中

$passcode = password_hash($password, PASSWORD_DEFAULT); // leave the salt as this function will automatically generate a secure one for you 
    $name = $username; 
    $pass = $passcode; 

登录代码

// Please get user's password as hash in $password_hash and plain text password from user. Then use password_verify function (native function) to verify the password 
if(password_verify($_POST['password'] , $password_hash) 
{ 
    // correct password 
} 
else 
{ 
    // wrong password 
} 

Answer 2

我使用的密码盐加密用户密码

No you're not。你的代码说：

$salt = "@g26jQsG&nh*&#8v"; 
$passcode = sha1($password.$salt); 

SHA1不加密，它是一个散列函数。 散列不是加密。

散列是一个单向函数，它接受无限多的可能值并将它们映射到有限数量的值，这样就很难从有限值返回到无限值的对应值。

这也是一种非常不安全的存储密码的方式。参见：How to safely store a password。 （对方回答是正确的：使用password_hash()和password_verify()）

此外：

$username = $_POST['username']; //else assign it a variable 
$email = $_POST['email']; 
$password = $_POST['password']; 
// SNIP // 
$query_insert_user = "INSERT INTO `users` (`username`, `password`, `email`, `active`) VALUES ('$name', '$pass', '$mail', '$numbers')"; 

你的注册码是不安全的。你可能想学习how to prevent SQL injection。而application security in general就是这个问题。