我试图对数据库中的密码进行验证,但它不起作用。请看看我的代码,让我知道哪里出错了。
将用户名和密码存储到数据库的代码。
<?php
echo "enter the username 'n";
$username = trim(fgets(STDIN));
echo "enter the password'n";
$password = trim(fgets(STDIN));
//connecting to database
$con=mysqli_connect("localhost","sqldata","sqldata","accounts");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$salt = substr(sha1(mt_rand()),0,22);
$hashedPassword= crypt($password , '$2y$10$' . $salt);
echo $hashedPassword;
mysqli_query($con,"INSERT INTO login (username, password)
VALUES ('$username', '$hashedPassword')");
mysqli_close($con)
?>
验证密码的代码如下
<?php
echo "enter the username 'n";
$username = trim(fgets(STDIN));
echo "enter the password'n";
$password = trim(fgets(STDIN));
//connecting to database
$db = mysql_connect("localhost","sqldata","sqldata") or die(mysql_error());
//selecting our database
$db_select = mysql_select_db("accounts", $db) or die(mysql_error());
$result= mysql_query("select * from login where username = '$username' ");
if ( !$result ) exit( "$userName wasn't found in the database!" );
$row = mysql_fetch_array( $result );
$storedPassword = $row['password'];
$salt = substr(sha1(mt_rand()),0,22);
$hashedPassword= crypt($password , '$2y$10$' . $salt);
if (crypt($hashedPassword) == $storedPassword)
{
echo "ok";
}
else
{
echo "error";
}
?>
当您将密码保存到您正在使用的数据库时:
$hashedPassword= crypt($password , '$2y$10$' . $salt);
但是当你检索密码并检查它时,我看到了一些错误的东西:
$storedPassword = $row['password'];
$salt = substr(sha1(mt_rand()),0,22);
$hashedPassword= crypt($password , '$2y$10$' . $salt);
if (crypt($hashedPassword) == $storedPassword){/*...*/}
1,不该:
$hashedPassword= crypt($password, '$2y$10$' . $salt);
$hashedPassword= crypt($storedPassword, '$2y$10$' . $salt);
2、您似乎使用了两次crypt:
$hashedPassword= crypt($password , '$2y$10$' . $salt);
if (crypt($hashedPassword) == $storedPassword)
so shouldn't is just be:
$hashedPassword= crypt($storedPassword, '$2y$10$' . $salt);
if ($hashedPassword == $storedPassword){/*...*/}
这比你想象的要简单。crypt格式有点聪明:它以(method)(salt)(hash)的形式将salt作为加密密码的开头。
当使用crypt()时,它只查看(method)(salt)并使用它们返回(method)(salt)(hash),因此要验证密码,您所需要做的就是将加密的密码作为salt传递,并查看结果是否匹配。也就是说,
crypt($testPassword, $hashedPassword) === $hashedPassword