PHP和SQL散列帮助：我做错了什么？ [英] PHP and SQL Hashing Help: What am I doing wrong?

问题描述

首先，我对编码一般都比较陌生，所以散列的思想有点混乱。本质上，我试图散列一个密码，以便将其存储在数据库中，所以我没有明文密码（我被告知这是做到这一点的最好方法，但我不认为这会是如果密码未被散列，这是一个大问题，因为这只是在一小群人中使用，我可以通知他们不要使用他们关心的密码，但我仍被建议这样做）。

我查阅了一些指南，可以使用一些帮助来理解这一点。我将包括我对密码进行散列的方式，以及如何将它们从数据库中提取出来以帮助理解此问题。如果这是一个愚蠢的问题，提前道歉。注意：包含的变量，例如$ login_username和$ login_password正在正确地执行。请注意：包含的变量例如$ login_username和$ login_password正在正确地执行拉，我只是不想包括他们，因为它会混乱了这个帖子更乱。

注册用户（已尝试password_default和password_bcrypt，但我不看不出有什么不同）：

  require_once'database.php'; 
 $ hash_employee_password = password_hash（$ employee_password，PASSWORD_DEFAULT）; 
 
 $ query =INSERT INTO employee 
（employee_id，employee_first_name，employee_last_name，
 employee_username，employee_email，employee_password）
 VALUES 
（：employee_id，： employee_first_name，：employee_last_name，
：employee_username，：employee_email，：employee_password）;; 
 $ b $ // VALUES（。$ employee_id。，'。$ employee_first_name。'，'。。$ employee_last_name。'，'。。$ employee_username。''，'。$ （$ query）; 
 $ statement-> bindValue（''）;'$'$'$'$'$'$'$' ：employee_id'，$ employee_id）; 
 $ statement-> bindValue（'：employee_first_name'，$ employee_first_name）; 
 $ statement-> bindValue（'：employee_last_name'，$ employee_last_name）; 
 $ statement-> bindValue（'：employee_username'，$ employee_username）; 
 $ statement-> bindValue（'：employee_password'，$ hash_employee_password）; 
 $ statement-> bindValue（' ：employee_email'，$ employee_email）; 
 $ statement-> execute（）; 
 $ statement-> closeCursor（）; 
 
 // echo $ query; 
 $ message ='您已成功注册，请联系您的经理以申请账户确认。'; 
 include（'success.php '）; 
  

记录登录：

  require_once'database.php'; 
包含'register_user.php'; 
 
 $ pwordQuery =SELECT employee_password from employee where employee_username =：login_username; 
 $ pwstatement = $ db-> prepare（$ pwordQuery）; 
 $ pwstatement-> bindValue（'：login_username'，$ login_username）; 
 $ pwstatement-> execute（）; 
 $ result = $ pwstatement-> fetch（）; 
 $ pwstatement-> closeCursor（）; 
 
 
 echo $ result [0]; 
 
 if（password_verify（$ login_password，$ result [0]））
 {
 echo'TRUE'; 
} 
 else 
 {
 echo'FALSE'; 
} 
  

问题是：我正在输入正确的用户名和密码， FALSE的结果被回应出来。如果您有任何想法，请告知我。忽视这样一个事实，即我有很多工作要做，比如让我的查询进入函数并以这种方式调用它们......这是为了以后的日子而保存的。 解决方案

密码列的长度是什么？如果它小于60，mysql默默地失败，10次中有9次，这就是问题所在如果是这样，那么你需要重新开始清理你的数据库并创建一个新的哈希。 - Fred -ii- 13分钟前

这是我一直在说的正确的：

@Fred好像它有列长度​​是45是一个坏主意，这是我唯一的问题。感谢您的帮助，并不完全确定这个网站是如何运作的，所以我不知道如何给您代言或任何东西。

根据 password_hash（）函数的手册：

http://php.net/manual/en/function.password-hash.php

PASSWORD_DEFAULT - 使用bcrypt算法（默认为PHP 5.5.0）注意，这个常量被设计为随着时间的推移而变化，算法被添加到PHP中，因此，使用这个标识符的结果的长度会随着时间的推移而变化，所以建议将结果存储在一个数据库列中，该列可以扩展到60个字符以上（255个字符是好的选择）。

First off, I am fairly new to coding in general so the idea of hashing is slightly confusing. Essentially, I am trying to hash a password in order to store it in a database so I don't have the password in plain text (I am told this is the best way to do it although I don't think it would be that large of a problem if the passwords weren't hashed as this is only being used in a small group of people that I could inform not to use passwords they care about but I was still advised to do this).

I have looked up a few guides and could use some help with understanding this. I will include the way I am hashing the passwords and how I am pulling them out of the database in order to help understand this problem. Apologies ahead of time if this is a stupid question. Just a heads up, I don't really understand this which is why I am asking the question.

NOTE: Included variables such as $login_username and $login_password are being properly pulled, I just didn't want to include them as it would clutter up this mess of a post even more.

Register user (have tried password_default and password_bcrypt but I don't see a difference):

require_once 'database.php';
    $hash_employee_password = password_hash($employee_password, PASSWORD_DEFAULT);

    $query = "INSERT INTO employee
                 (employee_id, employee_first_name, employee_last_name,
                 employee_username, employee_email, employee_password)
              VALUES
                 (:employee_id, :employee_first_name, :employee_last_name, 
                 :employee_username, :employee_email, :employee_password);";

    //VALUES (".$employee_id.", '" . $employee_first_name."', '" . $employee_last_name . "', '".$employee_username."', '".$employee_email."', '" . "$employee_password');";

    $statement = $db->prepare($query);
    $statement->bindValue(':employee_id', $employee_id);
    $statement->bindValue(':employee_first_name', $employee_first_name);
    $statement->bindValue(':employee_last_name', $employee_last_name);
    $statement->bindValue(':employee_username', $employee_username);
    $statement->bindValue(':employee_password', $hash_employee_password);
    $statement->bindValue(':employee_email', $employee_email);
    $statement->execute();
    $statement->closeCursor();

    //echo $query;
    $message = 'You have been successfully registered. Contact your manager in order to request account confirmation.';
    include ('success.php');

Record Login:

require_once 'database.php';
include 'register_user.php';

$pwordQuery = "SELECT employee_password from employee where employee_username = :login_username";
$pwstatement = $db->prepare($pwordQuery);
$pwstatement->bindValue(':login_username', $login_username);
$pwstatement->execute();
$result = $pwstatement->fetch();
$pwstatement->closeCursor();


echo $result[0];

if(password_verify($login_password, $result[0]))
{
    echo ' TRUE';
}
else
{
    echo ' FALSE ';
}   

The problem is: I am entering the proper username and password, but am getting the result of "FALSE" echoed out. Let me know if you have any ideas. Disregard the fact that I have a ton of work to do such as making my queries into functions and calling them that way... That's saved for a later date.

解决方案

"password column's length is what? if it's anything less than 60, mysql failed on you silently. 9 times out of 10, that's what the problem is. If so, then you'll need to start all over again by clearing your db and create a new hash. – Fred -ii- 13 mins ago"

which I was right about all along:

@Fred Well it looks like having the column length being 45 was a bad idea and that was my only problem. Thanks for the help, not entirely sure how this site works so I don't know how to give you rep or anything."

As per the manual on the password_hash() function:

http://php.net/manual/en/function.password-hash.php

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

这篇关于PHP和SQL散列帮助：我做错了什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！