注册和登录中的哈希密码不匹配 [英] Hashing password in register and login do not match
问题描述
我有一个注册表,允许用户输入密码,我使用crypt对该密码进行哈希处理
I've a register form that allow user to enter password and I hash this password using crypt
在注册表单中它可以正常工作,并且密码在数据库中被散列并且是安全的,但是在进行登录时,密码不匹配并且系统无法登录
In the register form it work and the password is hashed and secure in the database but when it come to the login the password do not match and the system do not log in
任何人都可以帮助我???
Anyone can help me ???
//crypt password
require_once('include/blowfish.php');
$bcrypt = new Bcrypt(4);
$hash = $bcrypt->hash($pass1);
echo $hash;
//************Insert all the members's input to the database**************************//
$query = mysql_query("INSERT INTO members(user_name, first_name, last_name,
governorate, district, village, birth_date, email_address, specialization,
password, registered_date )
VALUES('$username', '$firstname', '$lastname', '$governorate', '$district',
'$village', '$bdate', '$email', '$specialization', '$hash', now())")
or die(mysql_error());
login.php中的
哈希密码
hashing password in the login.php
$sql=mysql_query( "SELECT user_id, email_address, first_name, user_name
FROM members
WHERE email_address='$email'AND password= '$pass'
LIMIT 1") or die("error in members table");
$login_check = mysql_num_rows($sql);
if($login_check > 0)
{
$row = mysql_fetch_array($sql);
$row_pass = $row['password'];
//***********for hashing password***************************//
require_once('include/blowfish.php');
$bcrypt = new Bcrypt(4);
if($bcrypt->verify($pass, $row_pass))
{
$id = $row['user_id'];
$_SESSION['user_id'] = $id;
$firstname = $row['first_name'];
$_SESSION['first_name']= $firstname;
$email = $row['email_address'];
$_SESSION['email_address']= $email;
$username = $row['user_name'];
$_SESSION['user_name']= $username;
mysql_query("UPDATE members SET last_log_date=now()
WHERE user_id='$id'");
//$message = "correct email and passworddd!!";
header("Location: profile.php");
// exit();
}//close if
}//close if
else
{
$message = "incorrect Email or Password!!";
//exit();
}
推荐答案
它不起作用,因为在第一个代码段中,您将$ hash保存到members.password中.
It doesn't work because in the 1-st snippet you save $hash into the members.password.
在第二个代码段中,您从输入中检查真实密码.您需要将其修改为首先哈希:
While in the second snippet you check for the real password from the input. You need to modify it to hash first:
$bcrypt = new Bcrypt(4);
$hash = $bcrypt->hash($pass);
$query = sprintf("SELECT user_id, email_address, first_name, user_name
FROM members
WHERE email_address='%s'AND password= '%s'",
mysql_real_escape_string($email),
mysql_real_escape_string(hash));
$sql=mysql_query( $query) or die("error in members table");
$login_check = mysql_num_rows($sql);
if($login_check > 0)
{
...
您的代码也容易受到SQL注入的攻击,并使用不推荐使用的mysql_ *函数.
Also your code is vulnerable to SQL injection and uses deprecated mysql_* functions.
这篇关于注册和登录中的哈希密码不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!