使用散列函数登录错误

Question

我熟悉crypt系统，但我试图实现一些散列函数，但用户注册后我无法登录。这是哈希类的，我有

class PassHash { 

// blowfish 
private static $algo = '$2a'; 

// cost parameter 
private static $cost = '$10'; 

// mainly for internal use 
public static function unique_salt() { 
    return substr(sha1(mt_rand()),0,22); 
} 
// this will be used to generate a hash 
public static function hash($password) { 

    return crypt($password, 
       self::$algo . 
       self::$cost . 
       '$' . self::unique_salt()); 

} 
// this will be used to compare a password against a hash 
public static function check_password($hash, $password) { 

    $full_salt = substr($hash, 0, 29); 

    $new_hash = crypt($password, $full_salt); 

    return ($hash == $new_hash); 
} 
} 

这是登录表单

include 'misc/database.inc.php'; 
require ("misc/hash.php"); 
if(isSet($_POST['submit'])) { 
$pdo = Database::connect(); 
$username=$_POST['username']; 
$password=""; 

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1"); //Limiting result to one only. 

$stmt->bindParam(':username', $username); 
$stmt->execute(); 
$res = $stmt -> fetch(PDO::FETCH_OBJ); // Asks to fetch as an object. 

$password = $res->password; 
if (PassHash::checkHash($password, $_POST['password'])) { 


if ($res['level'] == 1) 
{ 
     $_SESSION['firstname'] = $res['firstname']; 
     $_SESSION['lastname'] = $res['lastname']; 
     $_SESSION['email']  = $res['email']; 

    header("location: users/main.php"); 
} 
else 
{ 
     header("location: index.php");    
} 
} else 
{ 
    echo "can't enter"; 
} 

我不断收到error。同样的密码也是正常的（我使用123321进行测试）每次存储不同的hash或者注册表有错误？

这里是userAdd文件。

if (!empty($_POST) && isset($_POST['submit'])) 
      {    

      // keep track post values 
      $username= $_POST['username']; 

      $pw = new PassHash(); 
      $myHash = $pw->hash($_POST['password']); 

      $firstname = $_POST['firstname']; 
      $lastname = $_POST['lastname']; 
      $email = $_POST['email'];       


         // update data 

      $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 

      $sql = "UPDATE users set username = ?, password = ?, firstname = ?, lastname = ?, email = ?, user_image = ? WHERE user_id = ?"; 
      $q = $pdo->prepare($sql); 
      $q-execute(array($username,$myHash,$firstname,$lastname,$email,$pathForDB,$user_id)); 

Answer 1

想想我发现了你的具体错误。 你正在发送一个空白的密码变量来验证，看看这里，我评论了我编辑的重要部分。

require ("misc/hash.php"); 
if(isSet($_POST['submit'])) { 
$pdo = Database::connect(); 
$username=$_POST['username']; 
$password=""; 

$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username LIMIT 1"); //Limiting result to one only. 

$stmt->bindParam(':username', $username); 
$stmt->execute(); 
$res = $stmt -> fetch(PDO::FETCH_OBJ); // Asks to fetch as an object. 

// PASSWORD IS STILL EMPTY HERE! 
// Must fill it out, to be the hashed password from database 
$password = $res->password; 

if (PassHash::check_password($password, $_POST['password'])) { 

这是否解决了您的问题？

你可以试试吗？

class PassHash { 

    protected function salter() { 
     $salt = ""; 
     $salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9)); 

     for($i=0; $i < 22; $i++) { 
      $salt .= $salt_chars[array_rand($salt_chars)]; 
     } 

     return $salt; 
    } 

     public function hash($input, $rounds = 7) 
     { 
     return crypt($input, sprintf('$2a$%02d$', $rounds) . $this->salter()); 
     } 

     public function checkHash($password, $hash) { 
     if(crypt($password, $hash) == $hash) { 
      return true; 
     } 

     return false; 

     } 
} 


$pw = new PassHash(); 
$myHash = $pw->hash("1234"); 

if($pw->checkHash("1234", $myHash)) { 
    echo "I did it!"; 
} else { 
    echo "I diden't do it!"; 
}