堆栈内存溢出
  简体   繁体   English

将用户密码从哈希存储函数更改为明文

[英]change user password from hash store function to cleartext

 原文  2017-02-03 14:36:49       php/ php-password-hash

问题描述

im doing a tutorial about how to make a php mysql login form.我正在做一个关于如何制作 php mysql 登录表单的教程 now the tutorial is actualy made to good and i wold like to alter it a bit and change the login password to store cleartext instead of the hash.现在教程已经做得很好了,我想稍微修改一下并更改登录密码以存储明文而不是散列。 the hash line looks like this:哈希行如下所示:

$new_password = password_hash($upass, PASSWORD_DEFAULT);

i made:我做了:

$new_password = $upass;

out of it.从它。 and it now saves the cleartext to the database but the login doesn't work.它现在将明文保存到数据库中,但登录不起作用。

the login part looks like this and i don't see the part where i expect the hashed-password to be converted and matched...登录部分看起来像这样,我没有看到我希望哈希密码被转换和匹配的部分......

public function doLogin($uname,$upass)
    {
        try
        {
            $stmt = $this->conn->prepare("SELECT user_id, user_name, user_pass FROM users WHERE user_name=:uname");
            $stmt->execute(array(':uname'=>$uname));
            $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
            if($stmt->rowCount() == 1)
            {
                if(password_verify($upass, $userRow['user_pass']))
                {
                    $_SESSION['user_session'] = $userRow['user_id'];
                    return true;
                }
                else
                {
                    return false;
                }
            }
        }
        catch(PDOException $e)
        {
            echo $e->getMessage();
        }
    }

2 个解决方案

解决方案1
 2 已采纳  2017-02-03 14:42:04

The line:线路:

if(password_verify($upass, $userRow['user_pass']))

Checks the hash of the password against the given password.根据给定的密码检查密码的哈希值。 As you've removed the hashing function it's comparing an un-hashed password against a clear text password.当您删除散列函数时,它会将未散列的密码与明文密码进行比较。

Change it to:将其更改为:

if($upass == $userRow['user_pass'])

That should fix it.那应该解决它。

Although you really should not be storing clear text passwords.虽然你真的不应该存储明文密码。

解决方案2
 1  2017-02-03 14:43:20

If you're not hashing the passwords anymore then you can't verify the hash如果您不再对密码进行散列,则无法验证散列

if(password_verify($upass, $userRow['user_pass']))

Should be应该

if($upass == $userRow['user_pass'])

Understand that this is a very bad idea .明白这是一个非常糟糕的主意 You might not understand why hashing passwords is important您可能不明白为什么散列密码很重要

For any reason, your database may be compromised and its data may be obtained by someone else.无论出于何种原因,您的数据库都可能遭到破坏,其数据可能会被其他人获取。 If the passwords are in what we call plain text, you will have leaked a piece of sensitive information that your users have trusted you with: their password (which is very likely to be a password shared in multiple services).如果密码是我们所说的纯文本,您将泄露用户信任您的一条敏感信息:他们的密码(很可能是在多个服务中共享的密码)。 This is a very serious issue.这是一个非常严重的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当用户在Drupal中更改密码时,以明文形式获取新密码? - Get new password in cleartext when a user changes it in Drupal? 将散列函数存储为散列密码的一部分是不好的做法吗? - Is it bad practice to store the hash function used as part of the hashed password? password_verify使用password_hash错误在登录时将用户存储在会话中 - password_verify using password_hash error to store user in session at login 使用yii将密码存储为哈希 - Store password as hash using yii laravel 9 crud 用户 hash 密码 - laravel 9 crud user hash password 从PHP脚本更改Linux用户密码 - Change Linux User password from PHP script 将password_hash更改为bcrypt - Change password_hash to bcrypt 输入哈希以重置密码,而不是实际用户密码 - Entering Hash to reset password and not Actual User Password 使用输入的密码用户验证哈希密码时出现问题 - Trouble in verifying hash password with the password user entered 从 php 获取用户 id 以更改密码 - Take user id from php for change password
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM