duansen6750 2017-07-05 02:38
浏览 81

在向哈希添加salt之后无法使登录脚本工作; 以前工作得很好

I've reset my database and on registration, we added random salt to hashes, and the registration script worked fine, we could create accounts and accounts with the same password and they had different hashes, but our login script is broken, not logging in users, saying their password is incorrect.

No idea why- we have spent the last 2 hours trying to fix it. We have used PHP error checkers(https://phpcodechecker.com/), nothing was wrong.

We are running an old version PHP(5.6) and MySQL and can't currently change.

    <?php
    ob_start();
    session_start();
    require_once 'dbconnect.php';

    // it will never let you open index(login) page if session is set
    if ( isset($_SESSION['user'])!="" ) {
     header("Location: index.php");
     exit;
    }

    $error = false;

    if( isset($_POST['btn-login']) ) { 

     // prevent sql injections/ clear user invalid inputs
     $email = trim($_POST['email']);
     $email = strip_tags($email);
     $email = htmlspecialchars($email);

     $name = trim($_POST['name']);
     $name = strip_tags($name);
     $name = htmlspecialchars($name);


     $pass = trim($_POST['pass']);
     $pass = strip_tags($pass);
     $pass = htmlspecialchars($pass);
     // prevent sql injections / clear user invalid inputs

     if(empty($name)){
      $error = true;
      $nameError = "Please enter your username.";
     }

     if(empty($pass)){
      $error = true;
      $passError = "Please enter your password.";
     }
       $res=mysql_query("SELECT userId, userEmail, userPass, userSalt, userSalt2 FROM users WHERE userName='$name'");
      $row=mysql_fetch_array($res);



      $row['userSalt']=$salt1;
      $row['userSalt2']=$salt2;
     // if there's no error, continue to login
     if (!$error) {

        $passwordHash = hash('sha256', $salt1 . $password . $salt2); // password hashing using SHA256

      //$res=mysql_query("SELECT userId, userEmail, userPass, userSalt,        userSalt2 FROM users WHERE userName='$name'");
      //$row=mysql_fetch_array($res); 
      $count = mysql_num_rows($res); // if email/pass correct it returns must be 1        row

      if( $count == 1 && $row['userPass']==$passwordHash ) {
       $_SESSION['user'] = $row['userId'];
header("Location: dashboard.php");
      } else {
       $errMSG = "Incorrect Credentials, Try again...";
      }

     }

    }
   ?>
   <!DOCTYPE html>
   <html>
   <head>
   <script src="//code.jquery.com/jquery-1.10.2.js"></script>
   <script>
   $(function(){
        $("#overallhead").load("overall_header.php"); 
        $("#overallfoot").load("overall_footer.html"); 
    });
   </script>
   <style>
   body {
    color: Thistle;
    }
    </style>
   <div id="overallhead"></div>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <title>Creature Paradise</title>
   <link rel="stylesheet" href="assets/css/bootstrap.min.css" type="text/css"  />
   <link rel="stylesheet" href="style.css" type="text/css" />
   </head>
   <body>

   <div class="container">

    <div id="login-form">
       <form method="post" action="<?php echo        htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">

 <div class="col-md-12">

     <div class="form-group">
         <h2 class="">Login</h2>
        </div>

     <div class="form-group">
         <hr />
         </div>

        <?php
      if ( isset($errMSG) ) {

       ?>
       <div class="form-group">
         <div class="alert alert-danger">
       <span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
            </div>
         </div>
            <?php
      }
      ?> 

        <div class="form-group">
         <div class="input-group">
            <span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
         <input type="name" name="name" class="form-control" placeholder="Your Username" value="<?php echo $name; ?>" maxlength="40" />
            </div>
            <span class="text-danger"><?php echo $nameError; ?></span>
        </div>

        <div class="form-group">
         <div class="input-group">
            <span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
         <input type="password" name="pass" class="form-control" placeholder="Your Password" maxlength="15" />
            </div>
            <span class="text-danger"><?php echo $passError; ?></span>
        </div>

        <div class="form-group">
         <hr />
        </div>

        <div class="form-group">
         <button type="submit" class="btn btn-block btn-primary" name="btn-login">Sign In</button>
        </div>

        <div class="form-group">
         <hr />
        </div>

        <div class="form-group">
                <a href="register.php">Don't have an account? Sign up here!              </a>
               </div>

           </div>

       </form>
       </div> 

   </div>
   <div id="overallfoot"></div>
   </body>
   </html>
   <?php ob_end_flush(); ?>
  • 写回答

1条回答 默认 最新

  • doumei8126 2017-07-05 02:54
    关注

    Have you do hashing on registration page, too? Because $row['userPass'] will never equal $passwordHash if you have not registration a new account with new hash applied

    评论

报告相同问题?

悬赏问题

  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?