可以从MySQL数据库db

Question

获得用户名和密码匹配，因为标题暗示我可以在尝试从我的数据库检索用户时获得密码和用户名的匹配。 当我第一次创建一个用户我用这个方法还散列密码：

mysql_select_db($user); 
$username = $_REQUEST['username']; 
$password = $_REQUEST['password']; 
function hash_password($password1, $username1) { 
    return hash_hmac('sha512', $password1 . $username1, $site_key); 
} 
$sql=mysql_query("INSERT INTO _SCD_BACKUP_USERS (username, password) 
VALUES ('".$username."','".hash_password($password, $username)."')"); 
$r=mysql_query($sql); 
if(!$r)echo "Error in query: ".mysql_error(); 
mysql_close();` 

这似乎做工精细！为了得到我想要的数据库。当我检索信息时，我无法使用此代码获得匹配：

$username = $_REQUEST['username']; 
$password = $_REQUEST['password']; 
function hash_password($password1, $username1) { 
    return hash_hmac('sha512', $password1 . $username1, $site_key); 
} 
$encrypted = hash_password($username, $password); 
$sql = 'SELECT username FROM _SCD_BACKUP_USERS WHERE username = ? AND password = ?'; 
$result = $db -> query($sql, array($username, $encrypted)); 
if ($result -> numRows() < 1) { 
    $arr = array('same' => true); 
} else { 
    $arr = array('same' => false); 
} 
print(json_encode($arr)); 
mysql_close(); 

有什么建议吗？

//安德烈

Answer 1

参数是向后

$encrypted = hash_password($username, $password); 

应该

$encrypted = hash_password($password, $username);