Phpass - 如何根据数据库中的用户名和密码散列来检查登录用户名和密码 [英] Phpass - how to check login username and password against username and password hash in database

问题描述

我已成功使用Phpass来散列注册用户密码并将它们存储在数据库中，现在我在登录时如何检查已登录的用户名和密码，检查数据库中是否存在用户名，然后检查散列密码一个给出。

I have successfully used Phpass to hash registered users passwords and store them in a database, now i am stuck on the login how to check the sumbitted username and password, checking the username exists in the database then checking the hashed password against the one given.

任何帮助非常感谢！ Thankyou！

Any help much appreciated!!! Thankyou!

这是我的代码：

This is my code:

<?php

// Inialize session
session_start();

// Include database connection settings
include('config.inc');

require("PasswordHash.php");
$hasher = new PasswordHash(8, false);

$username = $_POST['username'];
$password = $_POST['password'];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die("Password must be 72 characters or less"); }

$query = "SELECT * FROM user WHERE username = '$username'";

$query = mysql_query($query);
$numrows = mysql_num_rows($query);

if ($numrows = 1) {


$res = mysql_query("SELECT password FROM user WHERE username = '$username'"); 
$row = mysql_fetch_array($res); 
$hash = $row['password']; 
$password = $_POST['password'];

if ($hasher->CheckPassword($password, $hash)) { //$hash is the hash retrieved from the      DB 
        $what = 'Authentication succeeded';
    } else {
        $what = 'Authentication failed';
    }

} else {

 echo "No Such User";
include 'login.php';
exit();
}

echo "$what\n";
echo "<br />";
echo "$hash";

?>

这是我的工作代码，以获得其他人的好处：

THIS IS MY WORKING CODE FOR BENEFIT OF OTHERS:

<?php

// Inialize session
session_start();

// Include database connection settings
include('config.inc');

require("PasswordHash.php");
$hasher = new PasswordHash(8, false);

$username = $_POST['username'];
$password = $_POST['password'];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die("Password must be 72 characters or less"); }

$query = "SELECT * FROM user WHERE username = '$username'";

$query = mysql_query($query);
$numrows = mysql_num_rows($query);

if ($numrows = 1) {


$res = mysql_query("SELECT * FROM user WHERE username = '$username'"); 
$row = mysql_fetch_array($res); 
$hash = $row['password']; 
$password = $_POST['password'];

if ($hasher->CheckPassword($password, $hash)) { //$hash is the hash retrieved from the      DB 
        $what = 'Authentication succeeded';
    } else {
        $what = 'Authentication failed';
    }

} else {

 echo "No Such User";
include 'login.php';
exit();
}

echo "$what\n";
echo "<br />";
echo "$hash";

?>

推荐答案

以下是 phpass 的作品：当你保存用户的密码（当他们创建它时），在保存之前对它进行哈希处理，如下所示：

Here's how phpass works: When you save the user's password (when they create it) you hash it before saving, like so:

$hash_iterations = 30;
$portable_hashes = FALSE;
$hasher = new PasswordHash($hash_iterations, $portable_hashes);
$hash_value = $hasher->HashPassword($actual_password);

然后在数据库中保存 $ hash_value 用户的密码。当您开始验证用户时，请通过用户名查找用户。如果找到，请将数据库的实际密码（存储的散列）与用户输入的散列进行比较：

Then save $hash_value in the database as the user's password. When you go to validate the user, look up the user by username. If found, compare the actual password from the database (stored hash) with a hash of what the user entered:

// $stored_hash is the value you saved in the database for this user's password
// $user_input is the POST data from the user with the actual password
$valid_password = $hasher->CheckPassword($user_input, $stored_hash);

确保初始化 PasswordHash 类每次使用相同的方式，对于 $ hash_iterations 和 $ portable_hashes 的值相同，否则比较将无法正常工作。

Make sure to initialize the PasswordHash class the same way each time, with the same values for $hash_iterations and $portable_hashes, or the comparison won't work correctly.

这篇关于Phpass - 如何根据数据库中的用户名和密码散列来检查登录用户名和密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！