I just discovered that my password-protected area is not that protected. Passwords are required to use digits. Now, if the password has the digits at the end, somehow the login is accepted as long as the az part of the password is correct. Why is that and how can I correct that? (PHP 5.4.28)
function generate_hash($password)
{
$salt = openssl_random_pseudo_bytes(22);
$salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
return crypt($password, $salt);
}
$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
$results = $db->select("users", 'email=:email AND password=:password', $bind);
I don't know about the specifics of your problem, but you're using the hash completely wrong. To use crypt
, you do the following:
On registration:
$salt
argument in a proper format: $2a$xx$...
(note: no %
, that may contribute to the problem) crypt($password, $salt)
On login:
crypt($enteredPassword, $databaseHash)
You're not doing that at all. You should probably also use password_hash
instead, which takes care of a lot of pitfalls in the usage of the raw crypt
API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.