Phpass - 如何检查登录用户名和密码,防止数据库的用户名和密码哈希(Phpass - how

2019-09-22 03:18发布

我已经成功地使用Phpass哈希注册用户密码,并将它们存储在数据库中,现在我卡在登录我如何检查sumbitted用户名和密码,检查用户名存在于数据库中,然后检查,对给定一个哈希密码。

任何帮助非常感激! 谢谢!

这是我的代码:

<?php

// Inialize session
session_start();

// Include database connection settings
include('config.inc');

require("PasswordHash.php");
$hasher = new PasswordHash(8, false);

$username = $_POST['username'];
$password = $_POST['password'];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die("Password must be 72 characters or less"); }

$query = "SELECT * FROM user WHERE username = '$username'";

$query = mysql_query($query);
$numrows = mysql_num_rows($query);

if ($numrows = 1) {


$res = mysql_query("SELECT password FROM user WHERE username = '$username'"); 
$row = mysql_fetch_array($res); 
$hash = $row['password']; 
$password = $_POST['password'];

if ($hasher->CheckPassword($password, $hash)) { //$hash is the hash retrieved from the      DB 
        $what = 'Authentication succeeded';
    } else {
        $what = 'Authentication failed';
    }

} else {

 echo "No Such User";
include 'login.php';
exit();
}

echo "$what\n";
echo "<br />";
echo "$hash";

?>

这是我工作的代码从企业利益他人的:

<?php

// Inialize session
session_start();

// Include database connection settings
include('config.inc');

require("PasswordHash.php");
$hasher = new PasswordHash(8, false);

$username = $_POST['username'];
$password = $_POST['password'];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die("Password must be 72 characters or less"); }

$query = "SELECT * FROM user WHERE username = '$username'";

$query = mysql_query($query);
$numrows = mysql_num_rows($query);

if ($numrows = 1) {


$res = mysql_query("SELECT * FROM user WHERE username = '$username'"); 
$row = mysql_fetch_array($res); 
$hash = $row['password']; 
$password = $_POST['password'];

if ($hasher->CheckPassword($password, $hash)) { //$hash is the hash retrieved from the      DB 
        $what = 'Authentication succeeded';
    } else {
        $what = 'Authentication failed';
    }

} else {

 echo "No Such User";
include 'login.php';
exit();
}

echo "$what\n";
echo "<br />";
echo "$hash";

?>

Answer 1:

下面是如何phpass工作原理:当您保存用户的密码(当他们创建它),你节省了,像这样前凑吧:

$hash_iterations = 30;
$portable_hashes = FALSE;
$hasher = new PasswordHash($hash_iterations, $portable_hashes);
$hash_value = $hasher->HashPassword($actual_password);

然后保存$hash_value在数据库中的用户的密码。 当你去验证用户,通过用户名查找用户。 如果找到,比较从数据库(存储的散列)与用户输入的内容的哈希实际的密码:

// $stored_hash is the value you saved in the database for this user's password
// $user_input is the POST data from the user with the actual password
$valid_password = $hasher->CheckPassword($user_input, $stored_hash);

确保初始化PasswordHash类每次都以同样的方式,与相同的值$hash_iterations$portable_hashes ,或比较会无法正常工作。



文章来源: Phpass - how to check login username and password against username and password hash in database