使用password_hash和SHA256进行加密和解密
[英]Encrypting and Decrypting with password_hash and SHA256
问题描述
I have two scripts, a verify.php and a register.php. 
我有两个脚本,verify.php和register.php。
On my registration page I use this.. 在我的注册页面上,我使用它。
$salt = hash('sha256', uniqid(mt_rand(), true) . $email);
$storedHash = $salt . $password;
for ( $i = 0; $i < 50000; $i ++ )
{
$storedHash = hash('sha256', $storedHash);
}
$sql = "INSERT INTO authentication (email, password, fname, lname, created_at) VALUES ('$email', '$storedHash', '$fname', '$lname', '$today')";
Here is my user-login class.. 这是我的用户登录类。
<?php
include 'dbinclude.php';
// Class User
class user {
var $username;
var $password;
var $hashed;
var $salt;
function loginUser() {
require 'dbinclude.php';
$sql = "SELECT * FROM authentication WHERE email='" . $this->username . "';";
$query = mysqli_query($conn,$sql);
$fetch = mysqli_fetch_assoc($query);
$id = $fetch['userid'];
$storedHash = $fetch['password'];
$salt = substr($storedHash, 0, 64);
$validateHash = $salt . $this->password;
$validateHash = hash('sha256', $validateHash);
if ($storedHash == $validateHash)
{
//The entered password is correct.
$user = array(
"status" => "allow",
"email" => $fetch['email'],
"fname" => $fetch['fname'],
"lname" => $fetch['lname'],
"id" => $id,
"setupacc" => $fetch['setupacc'],
"setupleads" => $fetch['setupleads'],
"setupclients" => $fetch['setupclients'],
"hash" => $storedHash,
"salt" => $salt
);
return $user;
}
else
{
//The entered password is incorrect.
$user = array(
"status" => "deny",
"email" => $fetch['email'],
"fname" => $fetch['fname'],
"lname" => $fetch['lname'],
"id" => $id,
"setupacc" => $fetch['setupacc'],
"setupleads" => $fetch['setupleads'],
"setupclients" => $fetch['setupclients'],
"hash" => $storedHash,
"salt" => $salt
);
return $user;
}
}
}
?>
On my login page I use the following code.. 在我的登录页面上,我使用以下代码。
<?php
session_start();
require 'includes/dbinclude.php';
require 'includes/class.user.php';
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
// New login object? or class..
$login = new user();
$login->username = $email;
$login->password = $password;
$loginstatus = $login->loginUser();
$status = $loginstatus['status'];
$fname = $loginstatus['fname'];
$lname = $loginstatus['lname'];
$id = $loginstatus['id'];
$email = $loginstatus['email'];
$setupacc = $loginstatus['setupacc'];
$setupleads = $loginstatus['setupleads'];
$setupclients = $loginstatus['setupclients'];
// Set User Info in Session
$_SESSION['email'] = $email;
$_SESSION['fname'] = $fname;
$_SESSION['lname'] = $lname;
$_SESSION['id'] = $id;
$_SESSION['setupacc'] = $setupacc;
$_SESSION['setupleads'] = $setupleads;
$_SESSION['setupclients'] = $setupclients;
// Debug Display
echo "Class Pass: " . $login->password;
echo "Salt: " . $loginstatus['salt'];
echo "Hashed: " . $loginstatus['hash'];
if($status == "denied") {
?>
<script>
location.replace("http://hashed.com/?alertstatus=notauthed");
</script>
<?php
} elseif($status == "allow") {
?>
<script>
location.replace("http://hashed.com/app.php");
</script>
<?php
} else {
?>
<script>
location.replace("http://hashed.com/?alertstatus=notauthed");
</script>
<?php
}
?>
For some reason, it will not validate my hash on login. 由于某种原因,它将无法验证我的登录哈希值。 I can see its storing the hash, successfully parsing the salt but it will not validate? 我可以看到它存储了哈希,成功解析了盐,但是它无法验证?
1 个解决方案
解决方案1
3 2014-11-22 20:25:04
Remember that hashing is a one way function, so there is no concept called 'decrypting' the hash. 请记住,哈希是一种单向函数,因此没有称为“解密”哈希的概念。 You do something to the password(hash it) and store it in the database. 您对密码做一些操作(将其哈希化)并将其存储在数据库中。 Next, when you need to verify a user provided password, you do the same thing to the user provided password (hash it or do the same hash transformations) and then compare the resulting hash with what you've saved in the database. 接下来,当您需要验证用户提供的密码时,您可以对用户提供的密码执行相同的操作(对其进行哈希处理或进行相同的哈希转换),然后将结果哈希与您保存在数据库中的哈希进行比较。 If they match, then the user must have provided the correct password. 如果它们匹配,则用户必须提供正确的密码。
In your verify routine, you are fetching the salt as: 在验证例程中,您将盐提取为:
$salt = substr($storedHash, 0, 64);
but while creating the $storedHash, you've mangled and lost the original salt: 但是在创建$ storedHash时,您已经混乱并丢失了原始盐:
$storedHash = $salt . $password;
for ( $i = 0; $i < 50000; $i++ )
{
$storedHash = hash('sha256', $storedHash);
}
After the above for loop, there is no way to get the original $salt from $storedHash . 在上述for循环之后,无法从$storedHash获取原始$salt 。
You'll either need to change the way you are storing the hash and the salt(store the salt in database as well), or you'll need to change the way you are validating the user's password in $validateHash . 您可能需要更改存储哈希和盐的方式(也将盐存储在数据库中),或者需要更改在$validateHash中验证用户密码的方式。
When you are hashing the initial $salt + $password 50,000 times, then you'll also need to do the same again when user provides the password, so your $validateHash should look something like: 当您对初始的$salt + $password进行哈希处理50,000次时,当用户提供密码时,您还需要再次执行相同的操作,因此$ validateHash应该类似于:
$salt = $this->salt; // salt is also stored in the database
$validateHash = $salt . $this->password;
for ( $i = 0; $i < 50000; $i++ )
{
$validateHash = hash('sha256', $validateHash);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.