从数据库返回散列密码字符

我最近设置了自己的专用服务器并安装了编写PHP PHP等所需的所有内容。但是，我从我的密码中返回加密密码时似乎遇到了问题的MySQL数据库，我不能告诉我们，如果这件事情与我PHP配置还是它的东西与我的的MySQL配置。基本上所发生的事情是，当我使用PDO从它失去某些字符数据库返回的加密密码，所以当PHP去比较用户与在它抛出的数据库中保存的密码登录时输入加密密码一个错误。从数据库返回散列密码字符

下面是一个例子：

加密后，由用户输入的密码：＃7" 8wŖQE4YW6'u

从数据库返回的密码：？＃7 ??“????? 8w？QE ?? 4YW？6？'?? u？

' '字符似乎正在变成'？'人物：S

我检查密码在的phpMyAdmin，看它是否被遗漏了某些字符，但密码匹配，这样的东西是介于两者之间会黑麦，而且我不确定它是否到使用PHP设置或MySQL。

这里是我的脚本：

哈希和盐脚本（modules.php）：

<?php 


     /* Initialises the username variable. */ 
     $username = $_SESSION['username']; 

     /* If the user has changed their details then this block of code will make the changes to the database. 
     if(isset($_POST['detailsChanged']) == 1) 
     { 

      $statement = $conn -> prepare("UPDATE people SET Firstname = :firstname, Surname = :surname, Email = :email WHERE Username = :username "); 

      $statement->bindParam(':firstname', $_POST['Firstname'], PDO::PARAM_INT); 
      $statement->bindParam(':surname', $_POST['Surname'], PDO::PARAM_INT); 
      $statement->bindParam(':email', $_POST['Email'], PDO::PARAM_INT); 
      $statement->bindParam(':username', $username, PDO::PARAM_INT); 
      $statement->execute(); 

     }*/ 

     if(isset($_SESSION["passed"]) == 1) 
     { 

      $statement = $conn->prepare("SELECT * FROM people WHERE username = '".$username."'"); 

      $statement->execute(); 

      $result = $statement->fetch(); 

      $firstname = $result['Firstname']; 
      $surname = $result['Surname']; 
      $username2 = $result['Username']; 

     } 
     function pbkdf2($p, $s, $c, $kl, $a = 'sha256') { 

      $hl = strlen(hash($a, null, true)); # Hash length 
      $kb = ceil($kl/$hl);    # Key blocks to compute 
      $dk = '';       # Derived key 

      # Create key 
      for ($block = 1; $block <= $kb; $block ++) { 

       # Initial hash for this block 
       $ib = $b = hash_hmac($a, $s . pack('N', $block), $p, true); 

       # Perform block iterations 
       for ($i = 1; $i < $c; $i ++) 

        # XOR each iterate 
        $ib ^= ($b = hash_hmac($a, $b, $p, true)); 

       $dk .= $ib; # Append iterated block 
      } 

      # Return derived key of correct length 
      return substr($dk, 0, $kl); 
     } 
?>

PDO初始化（出于安全原因删除登录名和密码）（connection.php）：

<?php 

$login = "*******"; 
    $password = "********"; 

    $dsn = "mysql:host=localhost;dbname=wishpiggy"; 
$opt = array(
    // any occurring errors wil be thrown as PDOException 
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, 
    // an SQL command to execute when connecting 
    PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'" 
); 

    $conn = new PDO($dsn, $login, $password); 
    $conn->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, "SET NAMES 'utf8'"); 
?>

登录页面：

<?php ob_start(); session_start(); include ('sql_connect/connection.php'); include('sql_connect/modules.php'); 

    //This section of code checks to see if the client is using SSL, if not 
    // if($_SERVER["HTTPS"] != "on") 
    // { 
    //  header("HTTP/1.1 301 Moved Permanently"); 
    //  header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); 
    //  exit(); 
    // } 

    //This if statement checks to see if the session variable 'username' is set, and if so it will redirect the user to their profile page. 

    if(isset($_SESSION["username"])) 
    { 
     header("Location: /home/"); 
    } 

?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 
    <title>Wish Piggy</title> 
    <link href="css/styles.css" rel="stylesheet" type="text/css" /> 
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script> 
    <script type="text/javascript" src="js/loginjs.js"></script> 
</head> 

<body> 

    <div class="index_div"> 
     <div class="logo"><img src="img/wish_piggy.jpg" alt="" /> 
     </div> 
     <div class="text"><span>89% Fulfilled</span> 
     </div> 
     <div class="bar"><img src="img/wish_piggy_bar.jpg" alt="" /> 
     </div> 
     <div class="text"> 
      <div class="text_l"><p>1,000,000 People</p> 
      </div> 
      <div class="text_r"><p>9,000,838 Wishes</p> 
      </div> 
     </div> 
     <div class="sign_in"><a id="show-panel" href="#"></a> 
     </div> 
    </div> 

    <div id="lightbox-panel"> 
     <form id="loginForm" name="form" action="index.php" method="post" > 
      <input name="submitted" type="hidden" value="1" /> 
      <div class="login_label"><img src="img/wish_piggy_login.jpg" alt="" /><a id="open_signin" href="#">SIGN UP HERE</a><p>Login</p><a id="close-panel" href="#"></a> 
      </div> 
      <div class="login_input"><input name="email" type="text" value="<?php if(isset($_COOKIE['username']) && $_COOKIE['username'] != ""){echo $_COOKIE['username']; $_SESSION["username"] = $_COOKIE['username']; $_SESSION["passed"] = 1; header("Location: /home/");}else{echo "Email";} ?>" onclick="this.value=''" /> 
      </div> 
      <div class="input_label"><span>(e.g. [email protected])</span> 
      </div> 
      <div class="login_input"><input name="password" type="password" value="Password" onclick="this.value=''" /> 
      </div> 
      <div class="input_label"><a href="#">Forgot Password</a> 
      </div> 
      <div class="login_submit"> 
       <div class="login_checkbox"><input name="remember" type="checkbox" value="" /> <span>Remember me</span> 
       </div> 
       <div class="login_submit_input"><input name="submit" type="submit" value=""/> 
       </div> 
      </div> 
     </form> 
    </div> 
    <div id="lightbox"></div> 

    <div id="lightbox-panel2"> 
     <div class="inner_lightbox2"><img src="img/wish_piggy_login.jpg" alt="" /><a id="close-panel2" href="#"></a> 
     </div> 
     <div class="signup_form"> 
      <form action="index.php" method="post"> 
       <input name="submitted" type="hidden" value="1" /> 
       <div class="signup_form_label"><span>Firstname:</span> 
       </div> 
       <div class="signup_form_input"><input name="firstname" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Surname:</span> 
       </div> 
       <div class="signup_form_input"><input name="surname" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Email:</span> 
       </div> 
       <div class="signup_form_input"><input name="email" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Confirm Email:</span> 
       </div> 
       <div class="signup_form_input"><input name="emailConfirm" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Password:</span> 
       </div> 
       <div class="signup_form_input"><input name="password" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Confirm Password:</span> 
       </div> 
       <div class="signup_form_input"><input name="passwordConfirm" type="text" /> 
       </div> 
       <div class="signup_form_label2"><img src="img/wish_piggy_captcha.jpg" alt="" /> 
       </div> 
       <div class="signup_form_input2"><input name="" type="text" /> 
       </div> 
       <div class="signup_form_submit"><input name="" type="button" value="register" /> 
       </div> 
      </form> 
     </div> 
    </div> 
    <?php 
     if(isset($_POST["submitted"]) == 1) 
     { 
      echo "caught data!"; 
      $email = $_POST["email"]; 
      $password = $_POST["password"]; 
      if($password == "") 
      { 
       die ("Your username or password is incorrect."); 
      } 

      $usernameValidated = 0; 

      $statement = $conn->prepare("SELECT password FROM users WHERE email = :name"); 
      $statement->bindParam(":name", $email); 
      $statement->execute(); 

      $passCompare = $statement->fetch(); 
      $passSubmitHashed = pbkdf2($password, "butterScotch", 1000, 32); 
      echo $passSubmitHashed; 
      echo " || "; 
      echo $password; 
      if($passSubmitHashed == $passCompare['password']) 
      { 
       $usernameValidated++; 
      } 
      echo "hurrdurr || " . $passCompare['password']; 
      if($usernameValidated == 0) 
      { 

       die("Your username or password is incorrect.."); 

      } 

     } 
     if(isset($_POST["submitted"]) == NULL || isset($usernameValidated) > 0) 
     { 
      echo "<style> #text_contents{display: none;}</style>"; 
     } 

     if(isset($usernameValidated) >= 1) 
     { 
      $_SESSION["username"] = $username; 
      $expiry = 60 * 60 * 6 + time(); 
      setcookie('username', $username, $expiry); 
      $_SESSION["passed"] = $_POST["submitted"]; 

      header("Location: /profile/"); 
     } 
     ob_end_flush(); 
    ?> 
    <div id="lightbox2"></div> 
    <?php ob_end_flush(); ?> 
</body> 
</html>

来源

2012-07-24 Conner Stephen McCabe

你为什么不只是做一个双PARAM选择？比如“SELECT * FROM users WHERE email =：email AND password =：password”并将它传递给用户输入的哈希（检查结果是否给出记录数== 1）？ – Onheiron 2012-07-24 14:24:49

Onheiron我尝试了你的建议，但它总是返回一条记录，因为它找到记录的电子邮件，而不管密码是否正确。 – 2012-07-24 14:53:56

编码简单地使用base64_encode密码（保存前，以及比较时）:)

来源

2012-07-24 14:18:51

收听@GeoffreyBrier，不要在数据库中放置纯哈希，对其进行编码然后解码。 – Peon 2012-07-24 14:29:26

这不是解决问题，散列不应该是****在第一位。如果他在任何地方正确设置字符集（文件，连接，数据库等），首先应该没有问题。 – Sherlock 2012-07-24 14:30:19

是的，我正在使用这个散列，因为它应该是最安全的，散列中的一点是你无法将其反转。这与加密不同。 – 2012-07-24 14:32:49

从数据库返回散列密码字符

回答

相关问题