PHP登录页面上的密码哈希处理

huangapple go评论75阅读模式
英文:

PHP Hash Password on Login page

问题

我正在尝试创建一个登录页面,该页面连接到我的服务器并检查存储的(经过哈希处理的SHA256)数据库密码是否与登录页面上输入的密码相同。但是我尚未成功使其工作。

我的哈希密码例如是在此查询中创建的:

"INSERT INTO accounts VALUES (0,0,'secure',1500434821,0,1,'testaccount',SHA2('testaccount:password', 256),'testaccount@gmail.com',CAST(N'2023-03-12 10:34:09' AS DateTime),NULL,NULL,NULL);"

但是在我的登录页面上,我目前有:

$password = trim($_POST["password"]);

mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo 'login success' . '<br>';
    } else {
        echo 'login fail' . '<br>';
    }
}

$password 是登录页面的输入,$hashed_password 是保存在数据库中的密码的变量。当我将它们放在一个if语句中时,它不起作用。数据库中保存的密码是SHA-256 哈希值。

我尝试找到将输入变量转换为哈希版本以比较密码的函数,但到目前为止还没有成功。我已经输出了密码变量,它们的值不相等。

英文:

I'm trying to make a login page that connects to my server and checks wether the stored (hashed, SHA256) database password is the same as the password entered on the login page. However I have not managed to get it to work.

My hashed password is created for example in this query:

&quot;INSERT INTO accounts VALUES (0,0,&#39;secure&#39;,1500434821,0,1,&#39;testaccount&#39;,SHA2(&#39;testaccount:password&#39;, 256),&#39;testaccount@gmail.com&#39;,CAST(N&#39;2023-03-12 10:34:09&#39; AS DateTime),NULL,NULL,NULL);&quot;

But for my login page currently I have:

$password = trim($_POST[&quot;password&quot;]);

mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo &#39;login succes&#39; .&#39;&lt;br&gt;&#39;;
    } else {
        echo &#39;login fail&#39; .&#39;&lt;br&gt;&#39;;
    }
}

$password is the login page input and $hashed_password is the variable that holds the password stored in the database. When I put these in a if statement it does not work. The passwords that are saved in the database are SHA-256.

Tried to find functions that convert input variables into hashed versions to compare the passwords but this has not worked so far. I have echo'd the password variables and they are not equal to eachother in value.

答案1

得分: 1

这似乎是你在验证密码时使用了错误的函数。password_verify() 函数仅与由 password_hash() 创建的哈希兼容,而不是由 hash()SHA256 创建的哈希。你有两种选择来解决这个问题:

  1. 你可以使用 password_hash()PASSWORD_DEFAULT 算法来创建哈希,然后使用 password_verify() 来验证它们。这是推荐的方法,因为它使用安全和最新的算法,自动处理盐和拉伸。例如:
// Register.php
$password = trim($_POST["password"]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// 将 $hashed_password 插入到数据库

// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo '登录成功' . '<br>';
    } else {
        echo '登录失败' . '<br>';
    }
}
  1. 你可以使用 hash()SHA256 以及一个盐来创建哈希,然后使用 hash_equals() 来验证它们。这不太安全且容易出错,因为你必须手动处理盐和拉伸。例如:
// Register.php
$password = trim($_POST["password"]);
$salt = createSalt(); // 生成随机盐的函数
$hashed_password = hash('sha256', $salt . $password);
// 将 $hashed_password 和 $salt 插入到数据库

// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $salt);
if(mysqli_stmt_fetch($stmt)){
    if(hash_equals($hashed_password, hash('sha256', $salt . $password))) {
        echo '登录成功' . '<br>';
    } else {
        echo '登录失败' . '<br>';
    }
}
英文:

It seems that you are using the wrong function to verify your password. The password_verify() function is only compatible with hashes created by password_hash(), not by hash() with SHA256. You have two options to fix this:

  1. You can use password_hash() with the PASSWORD_DEFAULT algorithm to create your hashes, and then use password_verify() to check them. This is the recommended way, as it uses a secure and up-to-date algorithm that automatically handles salting and stretching. For example:
// Register.php
$password = trim($_POST[&quot;password&quot;]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// Insert $hashed_password into database

// Login.php
$password = trim($_POST[&quot;password&quot;]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo &#39;login success&#39; .&#39;&lt;br&gt;&#39;;
    } else {
        echo &#39;login fail&#39; .&#39;&lt;br&gt;&#39;;
    }
}
  1. You can use hash() with SHA256 and a salt to create your hashes, and then use hash_equals() to check them. This is less secure and more error-prone, as you have to manually handle salting and stretching. For example:
// Register.php
$password = trim($_POST[&quot;password&quot;]);
$salt = createSalt(); // Your function to generate a random salt
$hashed_password = hash(&#39;sha256&#39;, $salt . $password);
// Insert $hashed_password and $salt into database

// Login.php
$password = trim($_POST[&quot;password&quot;]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $salt);
if(mysqli_stmt_fetch($stmt)){
    if(hash_equals($hashed_password, hash(&#39;sha256&#39;, $salt . $password))) {
        echo &#39;login success&#39; .&#39;&lt;br&gt;&#39;;
    } else {
        echo &#39;login fail&#39; .&#39;&lt;br&gt;&#39;;
    }
}

huangapple
  • 本文由 发表于 2023年4月1日 01:21:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/75901160.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定