验证使用Bcrypt密码登录 [英] Verify Login with Bcrypt Password

问题描述

我有一个网站，我在其中使用bcrypt编程注册/登录系统.我已将带有哈希密码的注册详细信息成功插入数据库中.我的问题是如何使用此哈希密码对用户进行身份验证.以下是我使用的代码:

I have a site where i'm programming a registration/login system with bcrypt. I have successfully inserted the registration details with the hashed password into the database. My problem is how to authenticate the user using this hashed password. Below are the codes i used:

注册操作:

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Registration Action</title>
</head>
<font face="arial">

<?php

session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
//echo "Correct Code Entered";
//Do req stuff







$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tbl"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
$myemail=mysql_real_escape_string($_POST['myemail']);
$mysecrquest=mysql_real_escape_string($_POST['mysecrquest']);
$mysecransw=mysql_real_escape_string($_POST['mysecransw']);
$mypassword_rep=mysql_real_escape_string($_POST['mypassword_rep']);
$myemail_rep=mysql_real_escape_string($_POST['myemail_rep']);
$mysecransw_rep=mysql_real_escape_string($_POST['mysecransw_rep']);

$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);

$encpass = crypt($mypassword, $salt);

//validate input
if (( !empty($myusername) && !empty($mypassword) && !empty($myemail) && !empty($mysecrquest) && !empty($mysecransw) )
&& (($mypassword_rep==$mypassword)&&($myemail_rep==$myemail)&&($mysecransw_rep==$mysecransw)))
{
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, salt, password, email, secrquest, secransw)VALUES('$myusername', '$salt', '$encpass', '$myemail', '$mysecrquest', 

'$mysecransw')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
echo "<center><font color='green'>Congratulations! Your registration was Successful</font></center>";
echo "<BR>";
echo "<center><a href='somepage.php'>Somepage</a></center>";
}
}

else {
echo "<center><font color='red'>You have one or more invalid entries: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}


}
else {
echo "<center><font color='red'>Wrong Captcha: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}

?> 



<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

登录操作:

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Login Action</title>
</head>

<font face="arial">

<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered</font>";
//Do req stuff





$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tblx"; // Table name 
$tbl_name2="tbl"; // Table name 2

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);

// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername'";
$result2=mysql_query($sql2);

$row=mysql_fetch_assoc($result2);

//$count=mysql_num_rows($result2);

// If result matched $myusername and $mypassword, table row must be 1 row
//if($count==1)

//$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
if ($encpass == $row['password'])
             {
session_start();             
$_SESSION['myusername'] = $myusername;
header ("Location: memberspage.php");

             }

else {
echo "<center><font color='red'>Invalid Login Details. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}


}

else {
echo "<center><font color='red'>Wrong Captcha. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}
?>


<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

感谢您的帮助.谢谢.

推荐答案

我建议使用PHP的内置password_xxx()函数.明确设计这些密码是为了使使用bcrypt哈希密码的密码更容易使用.除了调用 password_verify() 之外，您无需考虑其他任何事情在创建帐户时检查登录尝试和 password_hash() .容易.

I suggest using PHP's built-in password_xxx() functions. These are explicitly designed to make it easy to work with passwords hashed using bcrypt. You don't need to think of anything other than calling password_verify() to check a login attempt and password_hash() when creating an account. Easy.

到目前为止，这是在PHP中使用密码的最简单方法.

That's by far the easiest way of working with passwords in PHP.

请注意，这些功能仅在最新的PHP版本(v5.5)中可用.但是，有一个您可以下载的向后兼容性库，使它们在当前所有受支持的版本中的工作方式完全相同PHP(即v5.3和5.4).

Note that these functions are only available in the latest PHP version (v5.5). However there is a backward compatibility library you can download that makes them work exactly the same in all currently supported versions of PHP (ie v5.3 and 5.4).

希望有帮助.

这篇关于验证使用Bcrypt密码登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！