[英]code php with hashed password couldn't work
I want to create a web page where a user introduces a login and password and he will be redirected to another web page. 我想创建一个网页,用户在其中输入登录名和密码,然后他将被重定向到另一个网页。
The login and password are given by the admin, the password should be hashed. 登录名和密码由管理员提供,密码应进行哈希处理。 I tried to use a code that I found on the internet ( I have done some changes) but it won't work for me (I think the reason is the hashed password) please tell me where is the fault.
我尝试使用我在互联网上找到的代码(我做了一些更改),但对我而言不起作用(我认为原因是密码哈希值),请告诉我哪里出了问题。
The link for the code used: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL 使用的代码的链接: http : //www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
(for the moment I have inserted a row into the database contain login and password as mentioned in the example) (目前,我已向数据库中插入一行,其中包含示例中提到的登录名和密码)
I tested my code with the password given in the example: 我使用示例中给出的密码测试了代码:
Login: login1 Password: 6ZaxN2Vzm9NUJT2y The code you need in order to be able to log in as this user is: 登录名:login1密码:6ZaxN2Vzm9NUJT2y要以该用户身份登录所需的代码是:
INSERT INTO enquete
. 插入到
enquete
。 Etablissement
VALUES(1, 'test_user', login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef'); Etablissement
VALUES(1, 'test_user',login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef');
Login.html page: Login.html页面:
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8 " />
<title>Log In</title>
<script type="text/JavaScript" src="./sha512.js"></script>
<script type="text/JavaScript" src="./forms.js"></script>
</head>
<body>
<?php
if(isset($_GET['error'])) {
echo 'Error Logging In!';
}
?>
<form action="process_login.php" method="post" name="login_form">
Email: <input type="text" name="LoginEtab" />
Password: <input type="text" name="PwdEtab" id="PwdEtab"/>
<input type="button" value="Login" onclick="formhash(this.form, this.form.PwdEtab);" />
</form>
</body>
</html>
Forms.js page: Forms.js页面:
function formhash(form, PwdEtab) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(PwdEtab.value);
// Make sure the plaintext password doesn't get sent.
p.value = "";
// Finally submit the form.
form.submit();
}
process_login.php page: process_login.php页面:
<?php
include 'db_connect.php';
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['LoginEtab'], $_POST['p'])) {
$LoginEtab = $_POST['LoginEtab'];
$PwdEtab = $_POST['p']; // The hashed password.
if (login($LoginEtab, $PwdEtab, $mysqli) == true)
{
// Login success
header('Location: ./protected_page.html');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
functions.php page : functions.php页面:
<?php
include 'psl-config.php';
function sec_session_start() {
$session_name = 'MyOwnsession'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
ini_set('session.use_only_cookies', 1);
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function login($LoginEtab, $PwdEtab, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT IDEtablissement , LoginEtab, PwdEtab, salt FROM etablissement WHERE LoginEtab = ? LIMIT 1"))
{
$stmt->bind_param('s', $LoginEtab); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($db_IDEtablissement, $db_LoginEtab, $db_PwdEtab, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$PwdEtab = hash('sha512', $PwdEtab . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
echo"text";
// Check if the password in the database matches
// the password the user submitted.
if ($db_PwdEtab == $PwdEtab) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$db_IDEtablissement = preg_replace("/[^0-9]+/", "", $db_IDEtablissement);
$_SESSION['db_IDEtablissement'] = $db_IDEtablissement;
// XSS protection as we might print this value
$db_LoginEtab = preg_replace("/[^a-zA-Z0-9_\-]+/","",$db_LoginEtab);
$_SESSION['db_LoginEtab'] = $db_LoginEtab;
$_SESSION['login_string'] = hash('sha512',$PwdEtab .$user_browser);
// Login successful.
return true;
echo"false2";
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
echo"false1";
}
}
} else {
// No user exists.
return false;
echo"false";
}
}
?>
db_connect.php page db_connect.php页面
<?php
include 'psl-config.php'; // Needed because functions.php is not included
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
?>
psl-config.php' page : psl-config.php'页面:
<?php
/**
* These are the database login details
*/
define("HOST", "localhost"); // The host you want to connect to.
define("USER", "root"); // The database username.
define("PASSWORD", ""); // The database password.
define("DATABASE", "enquete"); // The database name.
define("SECURE", FALSE);
?>
Update: I am always redirected to the index page :header('Location: ./index.php?error=1'); 更新:我总是重定向到索引页面:header('Location:./index.php?error=1');
and the appach log is : 和方法日志是:
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant HOST already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant USER already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant PASSWORD already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant DATABASE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant SECURE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 18, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:18, referer: http://localhost/loginSecurity/login.html
Update I found where was the problem :) I have to add to my code 更新,我发现问题出在哪里:)我必须添加到我的代码中
$PwdEtab = hash('sha512', $PwdEtab );
before the hash with salt in login function 在登录功能中加盐的哈希值之前
You are including the file psl-config.php
twice, if you need, try include_once
instead of include
您将文件
psl-config.php
两次,如果需要,请尝试include_once
而不是include
****** EDIT ******
Let's make it work. 让它工作。
first, hash a new password: 首先,哈希一个新密码:
include_once 'psl-config.php';
$user = 'admin';
$pass = '123';
$token = 'test';
$password = hash('sha512', $pass . $token);
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("UPDATE etablissement SET LoginEtab = '{$user}', PwdEtab = '{$password}', salt = '{$token}' WHERE IDEtablissement = 1");
$stmt->execute();
then, change your form: 然后,更改表格:
<form action="process_login.php" method="post" name="login_form">
Email: <input type="text" name="LoginEtab" value="admin"/>
<br><br>
Password: <input type="text" name="PwdEtab" id="PwdEtab" value="123"/>
<br><br>
<input type="submit" value="Login"/>
</form>
now change process_login.php
: 现在更改
process_login.php
:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['LoginEtab'])) { //<======CHANGE HERE
$LoginEtab = $_POST['LoginEtab'];
$PwdEtab = $_POST['PwdEtab']; // The hashed password. //<======AND HERE
if (login($LoginEtab, $PwdEtab, $mysqli) == true) {
// Login success
header('Location: ./protected_page.html');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
and voilà. 和voilà。
Update I found where was the problem :) I have to add to my code 更新,我发现问题出在哪里:)我必须添加到我的代码中
$PwdEtab = hash('sha512', $PwdEtab ); $ PwdEtab = hash('sha512',$ PwdEtab);
before the hash with salt in login function finally it works for me :) 在使用登录功能中的salt进行哈希运算之前,它最终对我有用:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.