[英]PHP website returning different SHA512 values for Desktop and Mobile Browser
I am working on a website which requires a membership section. 我正在一个需要会员资格部分的网站上工作。 So, when the user registers a new members account, I am saving the username, a random salt, and a SHA512 hashed password using the random salt and the user's password in order to not save the password in plain text in my database.
因此,当用户注册一个新的会员帐户时,我将使用随机盐和用户密码保存用户名,随机盐和SHA512哈希密码,以便不将密码以纯文本格式保存在数据库中。
The problem I seem to have when a user logs in is that the SHA512 javascript function is returning a different value when I'm using the website from my desktop vs. from a mobile browser (both Android and IOS devices). 用户登录时似乎遇到的问题是,当我从台式机使用网站而不是从移动浏览器(Android和IOS设备)使用网站时,SHA512 javascript函数返回的值不同。 The desktop appears to be the correct one.
桌面似乎是正确的桌面。
Here is the PHP function I'm using to check when the user logs in: 这是我用来检查用户何时登录的PHP函数:
// login function, check email and password against the database.
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
$_SESSION['temp'] = "account locked.";
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$_SESSION['temp'] = $user_browser;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
$_SESSION['temp'] = "Invalid password. ";// . $username . " " . $password . " " . $db_password;
return false;
}
}
} else {
$_SESSION['temp'] = "User not Found.";
// No user exists.
return false;
}
}
}
Here are the SHA values I got from the same username/password: Desktop (which let me log in correctly): 091b2e6cda1e1ee4de89b1164703a238021fa6c092551cfea2c967051bd01f3992dbe160bbc25a14694f119a819b88534b21d0f7c8da9c80bb8c06a79f75074c 以下是我从相同的用户名/密码获得的SHA值:桌面(可让我正确登录):091b2e6cda1e1ee4de89b1164703a238021fa6c092551cfea2c967051bd01f3992dbe160bbc25a14694f119a819b88534b21d0f7c8da9c80bb8c74
From my Android phone (Invalid password returned):20036264d5fccd56658e45364112ae0e3356878d84150aa817e049a288aa491b88fab9384df71a3aae7e3d0145acd3dc5608030961181b1bf8336e6019824daf 从我的Android手机(返回无效密码):20036264d5fccd56658e45364112ae0e3356878d84150aa817e049a288aa491b88fab9384df71a3aae7e3d0145acd3dc5608030961181b1bf8336e6019824daf
The javascript SHA512 function I'm using can be found here: http://pajhome.org.uk/crypt/md5 我正在使用的javascript SHA512函数可以在以下位置找到: http : //pajhome.org.uk/crypt/md5
I believe this anomaly is because of the representation of characters. 我相信这种异常是由于字符的表示。 In different OSs, browsers and devices the representation may be different.
在不同的OS,浏览器和设备中,表示形式可能不同。 Try converting the password to a common format such as UNICODE , before calculating the digests.
在计算摘要之前,请尝试将密码转换为通用格式,例如UNICODE。
In php you can use utf8_encode() function. 在php中,您可以使用utf8_encode()函数。
in javascript 在JavaScript中
function encode_utf8( s ) {
return unescape( encodeURIComponent( s ) );
}
function decode_utf8( s ) {
return decodeURIComponent( escape( s ) );
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.