登录表格/密码重置

Question

我正在使用本教程http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL来保护对我网页的访问，我想通过重置密码功能对其进行修改。 不幸的是，我的重置密码插件存储了一些东西，使帐户无法登录。

此代码正在执行用户注册，并且像超级按钮一样工作

  $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

    // Create salted password 
    $password = hash('sha512', $password . $random_salt);

    // Insert the new user into the database 
    if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
        $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
        // Execute the prepared query.
        if (! $insert_stmt->execute()) {
            header('Location: ../error.php?err=Registration failure: INSERT');
        }
    }
    header('Location: ./register_success.php');

登录处理：

    // hash the password with the unique salt.
    $password = hash('sha512', $password . $salt);

    if ($stmt->num_rows == 1) {
        // If the user exists we check if the account is locked
        // from too many login attempts 

        if (checkbrute($user_id, $mysqli) == true) {
            // Account is locked 
            // Send an email to user saying their account is locked
            return false;
        } else {
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_password == $password) {

也可以。 （不是我的工作：）），现在是我的工作-随机字符串生成器，然后是哈希

$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < 8; $i++) {
    $randomString .= $characters[rand(0, $charactersLength - 1)];
}

$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

    // Create salted password 
$password = hash('sha512', $randomString . $random_salt);

          if ($insert_stmt = $mysqli->prepare("UPDATE members SET password = ?, salt=? WHERE username= ?")){
        $insert_stmt->bind_param('sss', $password, $random_salt, $username);



$insert_stmt->execute();
                                      $insert_stmt->close();
    }

重置脚本成功为用户修改了db，存储了正确的salt和正确的哈希密码。 通过在屏幕上显示随机文本和盐进行测试，然后将其组合在此处http://www.convertstring.com/cs/Hash/SHA512

任何建议如何跟踪哈希过程或提示如何解决它的建议。

我怀疑JS可能会在客户端散列密码时出现问题

function formhash(form, password) {
    // Create a new element input, this will be our hashed password field. 
    var p = document.createElement("input");

    // Add the new element to our form. 
    form.appendChild(p);
    p.name = "p";
    p.type = "hidden";
    p.value = hex_sha512(password.value);

    // Make sure the plaintext password doesn't get sent. 
    password.value = "";

    // Finally submit the form. 
    form.submit();
}

非常感谢你

Answer 1

从formhash()逆向工程登录处理将建议您不应该散列$randomString ，而应该对其进行sha512版本。 因此，在您的密码重置插件中，而不是此行：

$password = hash('sha512', $randomString . $random_salt);

使用以下两个：

$password = hash('sha512', $randomString);
$password = hash('sha512', $password . $random_salt);

登录表格/密码重置

问题描述

1 个解决方案

解决方案1
0 已采纳 2015-08-31 15:13:55

登录表格/密码重置

问题描述

1 个解决方案

解决方案1 0 已采纳 2015-08-31 15:13:55

解决方案1
0 已采纳 2015-08-31 15:13:55