堆栈内存溢出
  简体   繁体   English

无法比较BCRYPT密码

[英]Cannot compare BCRYPT passwords

 原文  2012-11-11 15:09:43       php/ encryption/ passwords/ bcrypt/ blowfish

问题描述

I am following the guide in this website http://www.gregboggs.com/php-blowfish-random-salted-passwords/ but for some reason when checking if password are the same it fails. 我正在遵循该网站http://www.gregboggs.com/php-blowfish-random-salted-passwords/中的指南,但是由于某些原因,当检查密码是否相同时会失败。

The html is simple, 2 forms one for creating accounts and then one for checking. html很简单,有2种形式,一种用于创建帐户,另一种用于检查。 code can be seen here http://jsfiddle.net/Xf2Tc/ 可以在这里看到代码http://jsfiddle.net/Xf2Tc/

As output i get: salt = salt in database password in database: $2a$05$BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4/EtmnJ7Fz2CkoVha but the re-ENCRYPTED password is always something REALLY REALLY small. 作为输出,我得到:salt =数据库中数据库密码中的salt:$ 2a $ 05 $ BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4 / EtmnJ7Fz2CkoVha,但是重新加密的密码始终非常小。 BcPgSBqZz80dw BcPgSBqZz80dw

I must be using the salt wrong or something. 我一定用错了盐或其他东西。

If someoen can edit to be more organized, i would appreciate it. 如果someoen可以编辑得更有条理,我将不胜感激。 

<?php 
defined( '_JEXEC' ) or die( 'Restricted access' );
    $hostname="exampleHost";
    $database="exampleDB";
    $username="exampleUsername";
    $password="examplePassword";
    if(isset($_POST['Upassword'])&&isset($_POST['account'])&&!empty($_POST['Upassword'])&&!empty($_POST['account']))    {
        try {
            $pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

            $Upassword = mysql_real_escape_string($_POST['Upassword']);
            $account = mysql_real_escape_string($_POST['account']);

            //This string tells crypt to use blowfish for 5 rounds.
            $Blowfish_Pre = '$2a$05$';
            $Blowfish_End = '$';

            $Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
        $Chars_Len = 63;

            // 18 would be secure as well.
            $Salt_Length = 21;

            $mysql_date = date( 'Y-m-d' );
            $salt = "";

            for($i=0; $i<$Salt_Length; $i++)
            {
                $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
            }
            $bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;

            $hashed_password = crypt($Upassword, $bcrypt_salt);
            $stmt = $pdo->prepare("INSERT INTO users (reg_date, account, salt, password) VALUES (:mysql_date, :account, :salt, :hashed_password)");
            $stmt->bindParam(':mysql_date', $mysql_date, PDO::PARAM_STR);
            $stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
            $stmt->bindParam(':account', $_POST['account'], PDO::PARAM_STR);
            $stmt->bindParam(':hashed_password', $hashed_password, PDO::PARAM_STR);
            $stmt->execute();
        } catch(PDOException $e) {
            //file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
            echo 'ERROR: ' . $e->getMessage();
        }
    }
            /*
                * to test for correct encryption
                *
            */
                  if(isset($_POST['Upassword2'])&&isset($_POST['account2'])&&!empty($_POST['Upassword2'])&&!empty($_POST['account2']))  {
    try {
        $pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
        $stmt = $pdo->prepare("SELECT salt, password FROM users WHERE account=:account");
        $stmt->bindParam(':account', $_POST['account2'], PDO::PARAM_STR);
        $stmt->execute();
        $row = $stmt->fetch(PDO::FETCH_ASSOC);

        $Upassword2 = mysql_real_escape_string($_POST['Upassword2']);
        echo $row['salt'];
        $bcrypt_salt = $Blowfish_Pre . $row['salt'] . $Blowfish_End;
        $hashed_password = crypt($Upassword2, $bcrypt_salt);

        echo "PassDB: " .  $row['password'];
        echo '-------------------------------------------';
        echo "result: " .  $hashed_password;
            echo '-------------------------------------------';
        if ($hashed_password == $row['password']) {
          echo 'Password verified!';
          }
          echo 'i am here';

    } catch(PDOException $e) {
    //file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
    echo 'ERROR: ' . $e->getMessage();
    }
}
?>

1 个解决方案

解决方案1
 1 已采纳  2012-11-11 17:15:47

As you see I am separating my code into 2 if statements, meaning my Blowfish_Pre and $Blowfish_End were not being set when checking for correct password. 如您所见,我将代码分成2个if语句,这意味着在检查正确的密码时未设置我的Blowfish_Pre和$ Blowfish_End。

Solution either set this variables before the if statement or to use set them twice. 解决方案要么在if语句之前设置此变量,要么使用两次设置它们。

Hope it helps someone. 希望它可以帮助某人。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在PHP中比较BCRYPT哈希密码 - How to Compare BCRYPT Hashed Passwords in PHP 如何在Symfony 3中比较密码(Bcrypt哈希)? - How to compare passwords (Bcrypt hashes) in Symfony 3? 无法比较数据库中的密码 - Cannot compare passwords in database 使用bcrypt输入用户密码 - Using bcrypt for user passwords PHP-使用bcrypt哈希密码 - PHP - hashing passwords with bcrypt 使用bCrypt哈希密码登录PHP - PHP Login with bCrypt Hashed Passwords 使用bcrypt哈希密码的迁移系统 - Migrating system with bcrypt hashed passwords 我无法比较匹配的密码客户端和数据库进行登录? - i cannot compare matching passwords client and database for login? 将BCrypt哈希与Bcrypt哈希PHP进行比较 - Compare BCrypt hash to Bcrypt hash PHP 在PHP 5.2中保存密码时bcrypt的替代方法 - Alternative to bcrypt when saving passwords in PHP 5.2
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM