dongxiaoxing3058 2012-07-23 15:21
浏览 75
已采纳

密码哈希/登录

im creating a website that requires user authorisation to access some features. im currently working on how a user creates an account and how to utilise sessions to authorise their login. user information is stored in a MySQL table named user which likely includes a reference of username and passwords.

ive been reading up on password hashing/salt for security and wanted the input of some PHP masters, considering im still a rookie to the language.

ive written the following scripts : 

define('SALT_LENGTH', 6);

function generateHash($plaintext, $salt==null){
    if($salt == null){
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else{
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plaintext);
}
?>

this is a function included to generate a hash with a salt.

$username = $_POST['username'];
$password = generateHash($_POST['password']);
try{
    $stmt = $pdo->prepare(INSERT INTO user VALUES (:username, :password, :location,     :email, :name);
}catch(PDOException $e){
    echo $e->getMessage();
}
    $stmt->execute(array(':username'=>$username, 
                         ':password'=>$password, 
                         ':location'=>$location, 
                         ':email'=>$email, 
                         ':name'=>$name);

this is the important parts of the script to create an account

if(isset($_POST)){
    //if form was submitted

    $username = $_POST['username'];
    $password = generateHash($_POST['password']);

    session_start();

    $user = 'root';
    $pass = null;
    $pdo = new PDO('mysql:host=localhost; dbname=divebay;', $user, $pass);

    try{
        $stmt = $pdo->prepare('SELECT username FROM user WHERE username =     :username AND password = :password');
        $stmt->execute(array(':username'=>$username,
                             ':password'=>$password);

        if($stmt->fetch(PDO::FETCH_ASSOC)){
            echo 'match';
        }
        else{
            echo 'nomatch';
        }

this is the login session script to lookup users in the database

my main question is does this hashing/salt look like it will work? im confused as to how a hash used to create an encryption in one instance (create acct) will be able to work with a hash created in a different instance. further, is the complexity of what im trying to create appropriate for a relatively simple software project that will likely never be properly deployed?

any other suggestions of where my scripts are wrong will be appreciated also (i need the criticism).

  • 写回答

3条回答 默认 最新

  • dpw50696 2012-07-23 15:31
    关注

    My advice to you is to look for a library/framework that does this for you. Many frameworks will automatically and correctly take care of this kind of thing under the hood for you, often including roles based authorization. Authentication and Authorization aren't immensely difficult to get right, but they're hard enough that you should try to avoid doing it yourself unless you're doing it as a learning exercise.

    As for the correctness of your code, I think you need to use the salt matching the stored password on your account name to compare passwords. You should be looking up the password hash for the given username in the database, retrieving the salt from that password hash (which you correctly appended) then using the retrieved salt on the supplied password to get a hash. You then string compare the hash with the stored hash to authenticate.

    I don't really know PHP well, but I'm sure that a library exists that will handle this for you.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

  • 密码哈希/登录 php
    2012-07-23 15:21
    回答 3 已采纳 My advice to you is to look for a library/framework that does this for you. Many frameworks will a
  • Php - 密码哈希 php
    2015-10-25 23:58
    回答 1 已采纳 It's hard to understand what you're asking, but I bet you want to hash the value of $password befo
  • 如何检索登录php哈希密码 database php sql
    2016-06-25 12:04
    回答 3 已采纳 Okay so basically to explain how password_verify works: The first parameter is a non-hashed passw
  • imagehash:PHP PHP的感知图像哈希
    2021-02-25 09:31
    与依赖于输入中的小变化导致输出中的急剧变化的雪崩效应的密码散列函数不同,如果特征相似,则感知散列彼此“接近”。 与诸如MD5和SHA1的加密哈希函数相比,感知哈希是一个不同的概念。 使用加密哈希时,哈希值是...
  • 密码哈希PHP 7 [关闭] php
    2017-02-08 18:11
    回答 1 已采纳 You should never encrypt passwords, you should only hash them. Encryption implies that you can dec
  • 批量密码哈希PHP-LOGIN PROJECT代码 mysql php
    2015-06-03 09:47
    回答 2 已采纳 <?php // you should put your db connection stuff here require('connect.php'); //you create a
  • 使用php生成密码哈希 php
    2015-03-10 19:13
    回答 1 已采纳 There's a lot of hate in the OP's comments. But it's misdirected - OP is not trying to decode anyt
  • PHP函数 “password_hash“ 哈希密码
    2024-02-23 15:35
    luoluosheng07的博客 值得注意的是,使用 password_hash 函数进行密码哈希处理时,PHP会自动为每个密码生成一个独一无二的盐值,这个盐值会与密码一起存储在哈希密码中,从而增加密码的安全性。在使用 "password_hash" 函数进行密码哈希...
  • 蛋糕php-密码哈希 php
    2014-01-02 10:13
    回答 1 已采纳 Use this to hash the password: $this->data['User']['password'] = AuthComponent::password(
  • 无法在MySQL中获取登录表单的哈希密码 mysql php
    2019-04-06 07:42
    回答 1 已采纳 This form is included in another site, in which a database was already selected. By removing it (;
  • 登录时检查哈希密码 mysql php
    2014-04-30 23:55
    回答 1 已采纳 You hash the password the user provides using the same algorithm and compare it against the stored
  • php 密码登录,php中的密码/登录系统
    2021-04-04 08:19
    辉月有话说的博客 哈希密码和盐(这是做的吗?客户端还是服务器端?我认为客户端会更好,但PHP是服务器端,所以你会怎么做这个?)>检查价值与价值数据库,>如果值匹配则用户输入了正确的密码他们登录了.解决方法:Checks if user...
  • 简单但安全的密码哈希 php
    2014-06-25 22:24
    回答 4 已采纳 With password_hash() you are on the right track. For PHP versions 5.3.7 - 5.5 you can use the comp
  • 如何加密php网站用户的密码-哈希+盐值
    2018-09-21 14:43
    Schopencher的博客 以前自己经常用md5()加密密码,而这种加密方式非常不安全。 较安全的做法是,单项哈希加盐值,这种加密是不可逆的。 php已经提供了相关函数password_hash 和password_verify。 password_hash 方法已经了加盐值的处理...
  • PHP中散列密码的安全性分析
    2020-10-16 15:37
    主要介绍了PHP中散列密码的安全性,结合实例形式分析了php基本哈希函数安全性问题及相关解决方案,需要的朋友可以参考下
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?