英文:
PHP Hash Password on Login page
问题
我正在尝试创建一个登录页面,该页面连接到我的服务器并检查存储的(经过哈希处理的SHA256)数据库密码是否与登录页面上输入的密码相同。但是我尚未成功使其工作。
我的哈希密码例如是在此查询中创建的:
"INSERT INTO accounts VALUES (0,0,'secure',1500434821,0,1,'testaccount',SHA2('testaccount:password', 256),'testaccount@gmail.com',CAST(N'2023-03-12 10:34:09' AS DateTime),NULL,NULL,NULL);"
但是在我的登录页面上,我目前有:
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)) {
echo 'login success' . '<br>';
} else {
echo 'login fail' . '<br>';
}
}
$password 是登录页面的输入,$hashed_password 是保存在数据库中的密码的变量。当我将它们放在一个if语句中时,它不起作用。数据库中保存的密码是SHA-256 哈希值。
我尝试找到将输入变量转换为哈希版本以比较密码的函数,但到目前为止还没有成功。我已经输出了密码变量,它们的值不相等。
英文:
I'm trying to make a login page that connects to my server and checks wether the stored (hashed, SHA256) database password is the same as the password entered on the login page. However I have not managed to get it to work.
My hashed password is created for example in this query:
"INSERT INTO accounts VALUES (0,0,'secure',1500434821,0,1,'testaccount',SHA2('testaccount:password', 256),'testaccount@gmail.com',CAST(N'2023-03-12 10:34:09' AS DateTime),NULL,NULL,NULL);"
But for my login page currently I have:
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)) {
echo 'login succes' .'<br>';
} else {
echo 'login fail' .'<br>';
}
}
$password is the login page input and $hashed_password is the variable that holds the password stored in the database. When I put these in a if statement it does not work. The passwords that are saved in the database are SHA-256.
Tried to find functions that convert input variables into hashed versions to compare the passwords but this has not worked so far. I have echo'd the password variables and they are not equal to eachother in value.
答案1
得分: 1
这似乎是你在验证密码时使用了错误的函数。password_verify() 函数仅与由 password_hash() 创建的哈希兼容,而不是由 hash() 与 SHA256 创建的哈希。你有两种选择来解决这个问题:
- 你可以使用
password_hash()与PASSWORD_DEFAULT算法来创建哈希,然后使用password_verify()来验证它们。这是推荐的方法,因为它使用安全和最新的算法,自动处理盐和拉伸。例如:
// Register.php
$password = trim($_POST["password"]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// 将 $hashed_password 插入到数据库
// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)) {
echo '登录成功' . '<br>';
} else {
echo '登录失败' . '<br>';
}
}
- 你可以使用
hash()与SHA256以及一个盐来创建哈希,然后使用hash_equals()来验证它们。这不太安全且容易出错,因为你必须手动处理盐和拉伸。例如:
// Register.php
$password = trim($_POST["password"]);
$salt = createSalt(); // 生成随机盐的函数
$hashed_password = hash('sha256', $salt . $password);
// 将 $hashed_password 和 $salt 插入到数据库
// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $salt);
if(mysqli_stmt_fetch($stmt)){
if(hash_equals($hashed_password, hash('sha256', $salt . $password))) {
echo '登录成功' . '<br>';
} else {
echo '登录失败' . '<br>';
}
}
英文:
It seems that you are using the wrong function to verify your password. The password_verify() function is only compatible with hashes created by password_hash(), not by hash() with SHA256. You have two options to fix this:
- You can use
password_hash()with thePASSWORD_DEFAULTalgorithm to create your hashes, and then usepassword_verify()to check them. This is the recommended way, as it uses a secure and up-to-date algorithm that automatically handles salting and stretching. For example:
// Register.php
$password = trim($_POST["password"]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// Insert $hashed_password into database
// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)) {
echo 'login success' .'<br>';
} else {
echo 'login fail' .'<br>';
}
}
- You can use
hash()withSHA256and a salt to create your hashes, and then usehash_equals()to check them. This is less secure and more error-prone, as you have to manually handle salting and stretching. For example:
// Register.php
$password = trim($_POST["password"]);
$salt = createSalt(); // Your function to generate a random salt
$hashed_password = hash('sha256', $salt . $password);
// Insert $hashed_password and $salt into database
// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $salt);
if(mysqli_stmt_fetch($stmt)){
if(hash_equals($hashed_password, hash('sha256', $salt . $password))) {
echo 'login success' .'<br>';
} else {
echo 'login fail' .'<br>';
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论