问题与PHP / MYSQLi密码验证使用盐 [英] Issue with PHP/MYSQLi Password validation using salt

问题描述

下面是我创建密码的代码：

我有一个问题，在mysql中存储密码以与使用salt的登录密码相匹配。 p>

  $ hash = hash（'sha256'，$ password）; 
 
函数createSalt（）
 {
 $ text = md5（uniqid（rand（），true））; 
 return substr（$ text，0，3）; 
} 
 
 $ salt = createSalt（）; 
 $ password = hash（'sha256'，$ salt。$ hash）; 
  

以下是我的登录页面中的代码：

  $ userData = $ result-> fetch_array（MYSQL_ASSOC）; 
 
 $ hash = hash（'sha256'，$ password）; 
 
 $ password = hash（'sha256'，$ userData ['salt']。$ hash）; 
 $ b $ // hash = hash（'sha256'，$ userData ['salt']。hash（'sha256'，$ password））; 
 
 if（$ password！= $ userData ['Password']）//错误的密码。所以，再次重定向到login_form。 
  

在mysql中创建密码时没有错误（该字段使用ie填充0d02a88c1e1057a64df6b3fed4c6ad64e228313b803e9f9b36 ...

尽管登录创建了如下所示的内容：51839f9a15dac1f26825f4cd5d2ecf7ae83ea88d440415b04fb6ae41c3a0566f

只是不确定问题出在哪里。对于PHP来说，这是非常新鲜的。

使用功能让您的生活更轻松并且更安全地存储您的密码。 http://www.php.net/manual/en/function.password-hash.phprel =nofollow> password_hash（）。

SHA- *算法不适用于哈希密码，因为它们的速度太快了。函数password_hash（）不仅会计算出一个更适合的BCrypt哈希，它还会负责生成一个安全的盐，而你将不必在单独的数据库字段中存储/检索salt（它将成为结果散列值的一部分） / p>

  //将一个新密码存储在数据库中。 
 //该函数自动生成密码安全的盐。 
 $ hashToStoreInDb = password_hash（$ password，PASSWORD_BCRYPT）; 
 
 //检查输入的登录密码的哈希是否与存储的哈希匹配。 
 // salt和成本因子将从$ existingHashFromDb中提取。 
 $ isPasswordCorrect = password_verify（$ password，$ existingHashFromDb）; 
  

I am having an issue getting the password being stored on in mysql to match the Login password using salt.

Here is the code from my password creation:

        $hash = hash('sha256', $password);

        function createSalt()
        {
        $text = md5(uniqid(rand(), true));
            return substr($text, 0, 3);
        }

        $salt = createSalt();
        $password = hash('sha256', $salt . $hash);

Here is the code in my login page:

        $userData = $result->fetch_array(MYSQL_ASSOC);

        $hash = hash('sha256', $password);

        $password = hash('sha256', $userData['salt'] . $hash);

        //$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); 

        if($password != $userData['Password']) // Incorrect password. So, redirect to login_form again.

There are no errors creating the password in mysql (the field is populated with i.e 0d02a88c1e1057a64df6b3fed4c6ad64e228313b803e9f9b36...

While the Login creates something like: 51839f9a15dac1f26825f4cd5d2ecf7ae83ea88d440415b04fb6ae41c3a0566f

Just not sure where the issue is. Thanks in advance, I am very new to PHP.

解决方案

Make your life easier and store your passwords more safe, with the function password_hash().

The SHA-* algorithms are not appropriate for hashing passwords, because they are ways too fast. The function password_hash() will not only calculate a better suited BCrypt hash, it will also take care of the generation of a safe salt, and you won't have to store/retrieve the salt in a separate database field (it will become part of the resulting hash-value).

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

这篇关于问题与PHP / MYSQLi密码验证使用盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！