[英]Cannot compare BCRYPT passwords
I am following the guide in this website http://www.gregboggs.com/php-blowfish-random-salted-passwords/ but for some reason when checking if password are the same it fails. 我正在遵循该网站http://www.gregboggs.com/php-blowfish-random-salted-passwords/中的指南,但是由于某些原因,当检查密码是否相同时会失败。
The html is simple, 2 forms one for creating accounts and then one for checking. html很简单,有2种形式,一种用于创建帐户,另一种用于检查。 code can be seen here http://jsfiddle.net/Xf2Tc/
可以在这里看到代码http://jsfiddle.net/Xf2Tc/
As output i get: salt = salt in database password in database: $2a$05$BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4/EtmnJ7Fz2CkoVha but the re-ENCRYPTED password is always something REALLY REALLY small. 作为输出,我得到:salt =数据库中数据库密码中的salt:$ 2a $ 05 $ BcTDz3GVPJrLH3YRPF9FZ.uRBssr0ncQ4exG4 / EtmnJ7Fz2CkoVha,但是重新加密的密码始终非常小。 BcPgSBqZz80dw
BcPgSBqZz80dw
I must be using the salt wrong or something. 我一定用错了盐或其他东西。
If someoen can edit to be more organized, i would appreciate it. 如果someoen可以编辑得更有条理,我将不胜感激。
<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
$hostname="exampleHost";
$database="exampleDB";
$username="exampleUsername";
$password="examplePassword";
if(isset($_POST['Upassword'])&&isset($_POST['account'])&&!empty($_POST['Upassword'])&&!empty($_POST['account'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$Upassword = mysql_real_escape_string($_POST['Upassword']);
$account = mysql_real_escape_string($_POST['account']);
//This string tells crypt to use blowfish for 5 rounds.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
// 18 would be secure as well.
$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";
for($i=0; $i<$Salt_Length; $i++)
{
$salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hashed_password = crypt($Upassword, $bcrypt_salt);
$stmt = $pdo->prepare("INSERT INTO users (reg_date, account, salt, password) VALUES (:mysql_date, :account, :salt, :hashed_password)");
$stmt->bindParam(':mysql_date', $mysql_date, PDO::PARAM_STR);
$stmt->bindParam(':salt', $salt, PDO::PARAM_STR);
$stmt->bindParam(':account', $_POST['account'], PDO::PARAM_STR);
$stmt->bindParam(':hashed_password', $hashed_password, PDO::PARAM_STR);
$stmt->execute();
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
/*
* to test for correct encryption
*
*/
if(isset($_POST['Upassword2'])&&isset($_POST['account2'])&&!empty($_POST['Upassword2'])&&!empty($_POST['account2'])) {
try {
$pdo = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);
$stmt = $pdo->prepare("SELECT salt, password FROM users WHERE account=:account");
$stmt->bindParam(':account', $_POST['account2'], PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$Upassword2 = mysql_real_escape_string($_POST['Upassword2']);
echo $row['salt'];
$bcrypt_salt = $Blowfish_Pre . $row['salt'] . $Blowfish_End;
$hashed_password = crypt($Upassword2, $bcrypt_salt);
echo "PassDB: " . $row['password'];
echo '-------------------------------------------';
echo "result: " . $hashed_password;
echo '-------------------------------------------';
if ($hashed_password == $row['password']) {
echo 'Password verified!';
}
echo 'i am here';
} catch(PDOException $e) {
//file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
echo 'ERROR: ' . $e->getMessage();
}
}
?>
As you see I am separating my code into 2 if statements, meaning my Blowfish_Pre and $Blowfish_End were not being set when checking for correct password. 如您所见,我将代码分成2个if语句,这意味着在检查正确的密码时未设置我的Blowfish_Pre和$ Blowfish_End。
Solution either set this variables before the if statement or to use set them twice. 解决方案要么在if语句之前设置此变量,要么使用两次设置它们。
Hope it helps someone. 希望它可以帮助某人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.