2013-05-19 81 views
-2

我有一个登记表,让用户输入密码,我使用隐窝散列密码不匹配

在寄存器形式它的工作讨论解决这个口令和密码散列和安全的数据库,但当它来登录密码不匹配,系统不会登录

任何人都可以帮助我?在register.php

散列密码

//crypt password 
     require_once('include/blowfish.php'); 

     $bcrypt = new Bcrypt(4); 
     $hash = $bcrypt->hash($pass1); 
     echo $hash; 


//************Insert all the members's input to the database**************************// 
$query = mysql_query("INSERT INTO members(user_name, first_name, last_name, 
governorate, district, village, birth_date, email_address, specialization, 
password, registered_date) 

VALUES('$username', '$firstname', '$lastname', '$governorate', '$district', 
'$village', '$bdate', '$email', '$specialization', '$hash', now())") 

or die(mysql_error()); 

在login.php中

$sql=mysql_query("SELECT user_id, email_address, first_name, user_name 
FROM members 
WHERE email_address='$email'AND password= '$pass' 
LIMIT 1") or die("error in members table"); 
$login_check = mysql_num_rows($sql); 

    if($login_check > 0) 
    { 
     $row = mysql_fetch_array($sql); 
     $row_pass = $row['password']; 
     //***********for hashing password***************************// 
require_once('include/blowfish.php'); 
$bcrypt = new Bcrypt(4); 
if($bcrypt->verify($pass, $row_pass)) 
    { 

      $id = $row['user_id']; 
      $_SESSION['user_id'] = $id; 

      $firstname = $row['first_name']; 
      $_SESSION['first_name']= $firstname; 

      $email = $row['email_address']; 
      $_SESSION['email_address']= $email; 

      $username = $row['user_name']; 
      $_SESSION['user_name']= $username; 


      mysql_query("UPDATE members SET last_log_date=now() 
WHERE user_id='$id'"); 

     //$message = "correct email and passworddd!!"; 
      header("Location: profile.php"); 
     // exit(); 
    }//close if 
}//close if 
    else 
    { 
     $message = "incorrect Email or Password!!"; 
     //exit(); 
    } 
+0

不要多次提问相同的问题。 – Gumbo

+0

你已经得到答案,试着理解并应用它们! – deceze

+0

@ deceze问题是,我认为它是正确的,但它不是,我不知道如何解决,所以我来问问题去了解并理解 – user2398286

回答

0

它不会在1-ST工作,因为散列密码片断您节省$散列成会员。密码。

在第二个片段中,您检查输入中的真实密码。您需要修改它以先哈希:

$bcrypt = new Bcrypt(4); 
$hash = $bcrypt->hash($pass); 

$query = sprintf("SELECT user_id, email_address, first_name, user_name 
FROM members 
WHERE email_address='%s'AND password= '%s'", 
     mysql_real_escape_string($email), 
     mysql_real_escape_string(hash)); 

$sql=mysql_query($query) or die("error in members table"); 

$login_check = mysql_num_rows($sql); 

if($login_check > 0) 
{ 
    ... 

此外,您的代码易受SQL注入攻击,并使用不推荐的mysql_ *函数。

+0

所以代码变成这样:** require_once('include/blowfish.php'); $ bcrypt = new Bcrypt(4); $ hash = $ bcrypt-> hash($ pass); mysql_real_escape_string($ email), mysql_real_escape_string($ hash)); $ sql查询= sprintf(“SELECT user_id,email_address,first_name,user_name FROM members WHERE email_address ='%s'and password ='%s'', mysql_real_escape_string = mysql_query($ query)或死(“在成员表中的错误”); $ login_check = mysql_num_rows($ sql); if($ login_check> 0){$ row = mysql_fetch_array($ sql); $ row_pass = $ row ['password']; if($ bcrypt-> verify($ hash,$ row ['password'])){** – user2398286

+0

但是这会产生另一个散列不一样的散列 – user2398286