1. 首页
  2. 问答
  3. 认证来自sha1盐腌密码的用户登录

认证来自sha1盐腌密码的用户登录

2012-09-24 53 views
4

我有一个非常简单的登录/用户注册脚本,它使用sha1和salt存储密码。我有密码和用户创建工作正常,并存储在数据库中的一切都很好,但是当我尝试使用凭据登录时,它不起作用。在搜索这个主题时,我似乎找不到任何东西。认证来自sha1盐腌密码的用户登录

这里是我的外接用户表单:

session_start(); 
include("includes/resume.config.php"); 

// make sure form fields have a value and strip them 
function check_input($data, $problem='') 
{ 
$data = trim($data); 
$data = stripslashes($data); 
$data = htmlspecialchars($data); 
if ($problem && strlen($data) == 0) 
{ 
    die($problem); 
} 
    return $data; 
} 

// get form values, escape them and apply the check_input function 
$name = $link->real_escape_string(check_input($_POST['name'], "Please enter a name!")); 
$email = $link->real_escape_string(check_input($_POST['email'], "Please enter an email!")); 
$password = $link->real_escape_string(check_input($_POST['password'], "Please enter a password!")); 

// generate a random salt for converting passwords into MD5 
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); 
$saltedPW = $password . $salt; 
$hashedPW = sha1($saltedPW); 

mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); 
// select the db 
mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); 

// our sql query 
$sql = "INSERT INTO admins (name, email, password, salt) VALUES ('$name', '$email', '$hashedPW', '$salt');"; 

//save the updated information to the database   
mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link)); 

if (!mysqli_error($link)) 
{ 
    header("Location: file_insert.php"); 
}

这里是我的登录脚本:这就是不工作

function check_input($data, $problem='') 
{ 
$data = trim($data); 
$data = stripslashes($data); 
$data = htmlspecialchars($data); 
if ($problem && strlen($data) == 0) 
{ 
    die($problem); 
} 
    return $data; 
} 

if(isset($_POST['submitLogin'])) { //form submitted? 

// get form values, escape them and apply the check_input function 
$name = $link->real_escape_string(check_input($_POST['name'], "Please enter a name!")); 
$password = $link->real_escape_string(check_input($_POST['password'], "Please enter a password!")); 

$saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); 

$salt = mysqli_fetch_assoc($saltQuery); 
$saltedPW = $password . $salt; 
$hashedPW = sha1($saltedPW); 

mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); 
// select the db 
mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); 

$validate_user = $link->query('SELECT id, name, password FROM admins WHERE name = "'.$name.'" AND password = "'.$hashedPW.'"'); 

if ($validate_user->num_rows == 1) { 
    $row = $validate_user->fetch_assoc(); 
    $_SESSION['id'] = $row['id']; 
    $_SESSION['loggedin'] = TRUE; 
    Header('Location: file_insert.php'); 
} else { 
    print "<center><p style='margin-top: 200px; font-weight: bold;'>Invalid Login Information</p>"; 
    print "<a href='admin-login.php'>Click here</a> to return to the login page.</center>"; 
} 
}

来源

2012-09-24 Ty Bailey

回答

3

可能有更多的事情,但肯定一个它不工作的原因是因为mysqli_fetch_assoc返回一个数组,并且您像字符串一样使用它。

由于此时$salt是一个数组,因此在调用$password . $salt时,PHP会抱怨数组要转换为字符串。结果是,您将字尾Array附加到导致不正确散列的密码。如果您有display_errors关闭和/或error_reporting设置为隐藏php.ini中的通知,那么您不会看到此消息。

如果更改:

$saltedPW = $password . $salt;

到:

$saltedPW = $password . $salt['salt'];

那么它应该工作。

此外,在将其插入到数据库之前,您应该转义$salt,因为它可能包含null,unprintable或single/double引号,因为它是随机生成的。

来源

2012-09-24 23:41:40 drew010

+0

所以我应该改变'$ salt = mysqli_fetch_assoc($ saltQuery);'只是'$ salt = $ saltQuery;'? –

+0

不,您仍然需要执行查询,将该部分保持原样,只需更改答案中显示的分配即可。 – drew010

+0

此外,如果您在该查询中选择了密码哈希和salt,则您不必进行2次查询即可知道登录是否有效。如果您找到匹配项,只需在PHP中填写密码并将其与您已从数据库中选择的散列密码进行比较。 – drew010

0

,如果你收到任何错误消息,但您发布的内容,我认为它是一个连接问题你没有说:

if(isset($_POST['submitLogin'])) { //form submitted? 

// Here, you didn't connect to database, but you are expecting to fetch salt! 
$saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); 

$salt = mysqli_fetch_assoc($saltQuery);

所以,你可能需要先连接到数据库:

if(isset($_POST['submitLogin'])) { //form submitted? 

mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); 
// select the db 
mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); 

// Here, you didn't connect to database, but you are expecting to fetch salt! 
$saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"');

其次,mysqli_fetch_assoc与返回键名称为您在SELECT查询嵌入哪一个领域的一个数组,最终代码应该是这样的:

if(isset($_POST['submitLogin'])) { //form submitted? 

mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); 
// select the db 
mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); 

// Here, you didn't connect to database, but you are expecting to fetch salt! 
$saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); 
$salt = mysqli_fetch_assoc($saltQuery); 
$saltedPW = $password . $salt["salt"]; 
$hashedPW = sha1($saltedPW);

来源

2012-09-24 23:47:15 SIFE

相关问题

 相关问题