[英]How to sign in after hashing pw with salt? <==EDITED VERSION #2 ==>
這是我的第二次編輯。 我已經在牆上撞了好幾天了,覺得我非常接近。 我已經嘗試了第三個代碼塊的許多不同版本,但是無法得到它。 知道我做錯了什么(它改變了第三個代碼塊)
if(!$error) {
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $_POST['Password']);
$query = "INSERT INTO `Users` (
`FirstName`,
`LastName`,
`Email`,
`Password`,
`salt`,
`RelationshipToCF`,
`State`,
`Gender`,
`Birthday`,
`Status`
)VALUES(
'" . mysql_real_escape_string($_POST['firstName']) . "',
'" . mysql_real_escape_string($_POST['lastName']) . "',
'" . mysql_real_escape_string($_POST['email']) . "',
'" . $hashed_password . "',
'" . $salt . "',
'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
'" . mysql_real_escape_string($_POST['State']) . "',
'" . mysql_real_escape_string($_POST['sex']) . "',
'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
'pending'
)";
mysql_query($query, $connection);
這是我用來更新現有密碼的方法:
$query = "SELECT * FROM `Users`";
$request = mysql_query($query,$connection);
while($result = mysql_fetch_array($request)) {
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $result['Password']);
$user = $result['id'];
$query2 = "UPDATE `Users` SET `salt` = '$salt' WHERE `id` = '$user'";
$request2 = mysql_query($query2,$connection) or die(mysql_error());
$query3 = "UPDATE `Users` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
$request3 = mysql_query($query3,$connection) or die(mysql_error());
}
所以現在我想允許用戶使用他們注冊的密碼登錄,此時他們只能使用哈希密碼登錄。 顯然,這尚未應用於真實數據庫。
以下是我需要更改的登錄頁面的查詢:
if(isset($_POST['subSignIn']) &&
!empty($_POST['email']) &&
!empty($_POST['password'])) {
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$query = "SELECT
`id`,`email`,`password` FROM `Users`
WHERE `Email` = '" . $email . "' AND
`Password` = '" . $password . "' &&
`Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());
if(@mysql_num_rows($request)) {
$result = mysql_fetch_array($request);
$_SESSION['LIFE']['AUTH'] = true;
$_SESSION['LIFE']['ID'] = $result['id'];
$query = "UPDATE `Users` SET` LastActivity` = '" . date("Y-m-d") ." " . date("g:i:s") . "' WHERE `id` ='" .mysql_real_escape_string($_SESSION['LIFE']['ID']) . "' LIMIT 1";
mysql_query($query,$connection);
if(!empty($_POST['return'])) {
header("Location: " . $_POST['return']);
}else{
header("Location: Dashboard.php?id=" . $_SESSION['LIFE']['ID']);
}
}else{
$_SESSION['LIFE']['AUTH'] = false;
$_SESSION['LIFE']['ID'] = false;
}
我一直在搜索webernet的方法,但我想我會利用這里所有偉大的思想,並在正確的方向上尋找建議/方法/教程/點
<==我在原來的5個答案之后的嘗試==>
i
f(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {
$query = "SELECT id FROM cysticUsers WHERE Email = '$email' AND Password = SHA1(CONCAT(salt,'$password')) AND Status = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());
if(@mysql_num_rows($request)) {
$row = mysql_fetch_assoc($request);
if (sha1($row['salt'] . $_POST['password']) === $row['password']) {
$_SESSION['CLIFE']['AUTH'] = true;
$_SESSION['CLIFE']['ID'] = $result['id'];
// UPDATE LAST ACTIVITY FOR USER
$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
mysql_query($query,$connection);
if(!empty($_POST['return'])) {
header("Location: " . $_POST['return']);
}else{
header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
}
}
}else{
$_SESSION['CLIFE']['AUTH'] = false;
$_SESSION['CLIFE']['ID'] = false;
}
}
?>
我沒有時間瀏覽整個代碼塊,但基本的salt / hash驗證如下:
$user // User has a $password and a $salt. $password = hash($plaintext . $salt);
$password // Password we are checking.
return $user->password == hash($password . $user->salt);
如果要驗證輸入的密碼,則應使用原始密碼進行驗證:預先添加salt並哈希該值。
因此,查找散列原始密碼時使用的salt,並在散列輸入的密碼時使用它,然后將存儲的散列與新計算的散列進行比較。 所以基本上:
$query = "SELECT `salt`, `password` FROM `Users` WHERE `Email` = '" . $email . "'";
$request = mysql_query($query,$connection) or die(mysql_error());
if (mysql_num_rows($request)) {
$row = mysql_fetch_assoc($request);
if (sha1($row['salt'] . $_POST['Password']) === $row['password']) {
// user authentic
} else {
// user not authentic
}
}
如果它們是相同的,輸入的密碼很可能是1一樣輸入的原始。
1)它可能只是相同而且不完全相同,因為總是存在兩個輸入值具有相同散列值的碰撞的概率。
你能讓你的第三個代碼塊更具可讀性嗎?
應該很容易。
例如:
$hashed_password = sha1($salt . $result['Password']);
將$hashed_password
和$salt
在數據庫中。
當他們登錄時,您要比較上面的$hashed_password
的密碼將是這樣的:
$password = sha1($row['salt'] . $_POST['password']);
說得通?
您首先需要通過搜索輸入的用戶名從數據庫中獲取salt密鑰,然后使用從數據庫中獲取的鹽來哈希輸入的密碼,並檢查它是否與數據庫中用戶名的密碼相匹配。 它看起來像這樣:
$query = "SELECT salt FROM Users WHERE username='$user'";
$result = mysql_query($query) or die ("AAAAGH! *Thud*");
$row = mysql_fetch_assoc($result);
$salty_password = sha1($row['salt'], $_POST['password']);
$query = "SELECT * FROM users WHERE username='$user' AND password='$salty_password'";
$result = mysql_query($query) or die ("AAAAGH! *Thud*");
if (mysql_num_rows($result)) {
echo "Successfully authenticated!";
}
else {
echo "Failed to Authenticate.";
}
看起來您在創建帳戶時實際上並未使用用戶密碼。
在第一個代碼塊中:
$hashed_password = sha1($salt . $result['Password']);
應該是這樣的:
$hashed_password = sha1($salt . $_POST['Password']);
我認為你只存儲散列鹽,基本上可以使用任何空密碼登錄!
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.