dpxw17759 2014-04-22 16:39
浏览 131
已采纳

使用salt / password / hash进行密码验证时出现问题

I've got one function to create a new user by generating a salt, appending it to password, and hashing the combination. I've got another function for user login verification, which takes the user's entered password and adds it to the user's unique salt, hashes, and compares to the encrypted password in the database (see comments throughout code).

I've echoed out all the important variables in the userValidate() function, but I can never get the hash+user password to match the encrypted password from the database. Can anyone tell me what I'm doing wrong?

Create user function:

function createNewUser($firstName, $lastName, $email, $password, $address, $city, $state) {

    $conn = connectPDO();

    // Create a salt
    $salt = mcrypt_create_iv(64, MCRYPT_DEV_URANDOM);

    // Add salt to password
    $salted_password = $salt.$password;

    // Hash salt/password combination, to be added to "password" column of database
    $encrypted_password = hash('sha256', $salted_password);

    $datetime = date("Y-m-d H:i:s");

    $stmt = $conn->prepare("INSERT INTO users (`first-name`, `last-name`, `email-address`, 
                             `password`, `salt`, `address`, 
                             `city`, `state`, 
                             `registered-timedate`) VALUES (
                                :field1, :field2, :field3, :field4, :field5, :field6, :field7, :field8, '$datetime')");

    return ($stmt->execute(array('field1' => $firstName, 
                         'field2' => $lastName, 
                         'field3' => $email, 
                         'field4' => $encrypted_password, 
                         'field5' => $salt, 
                         'field6' => $address, 
                         'field7' => $city, 
                         'field8' => $state)));
}

Validate user's login:

function userValidate($email, $user_password) {
    $conn = connectPDO();
    $sql = "SELECT `salt`,`password` FROM users where `email-address`='$email'";
    $q = $conn->query($sql);
    $row = $q->fetch();

// Get the user's unique password salt
$salt = $row['salt'];

// Find the hashed salt/password combination
$database_password = $row['password'];

// Add salt to user's entered password and encrypt
$salted_password = $salt.$user_password;
$encrypted_password = hash('sha256', $salted_password);


// Compare the user password/salt hash to one stored in database
if($encrypted_password == $database_password) {
    return true;
} else {
    return false;
}
}

Edit:

I've echo'd my vars on the registration page and I'm getting salts w/ many special characters like "J~Ã×/q,ó¸5 áczçvÁ!—Î/åÿâÑ^:h1Z¬MÃF¤º`„ù‹w¡ìe(Wúô wW" which is not going in the database verbatim--goes in like "4a7ec3d72f00712cf31eb8350f20e1637ae776c1902197ce2f1ae57fff0be2d1135e3a681e315aac4dc346a4ba608402f98b77a1ec126590281157faf40977570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000". What data type should I use in my databsae for salts... and shouldn't salting/hashing/comparing generate the same two encrypted passwords for each (because the salts would still be the same?)

  • 写回答

1条回答 默认 最新

  • dream_wu2015 2014-04-22 19:43
    关注

    I suspect you run into one of those two problems:

    1. The database field for the hashed password is too small, the field must be able to store 64 characters.
    2. There is a problem with the encoding of your salt, keep in mind that a salt generated with mcrypt_create_iv() is a binary string and can contain any character (even \0 characters).

    Even if you can solve this problem, you have an unsafe scheme to store passwords (SHA256 is ways too fast for hashing passwords). Have a look at the PHP function password_hash(), it will generate a BCrypt hash and takes care of the generation of a safe salt. The salt will be part of the resulting 62 character string, so there is no need to store the salt separately. There exist also a compatibility pack for older PHP versions.

    // Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?