密碼哈希在php註冊和登錄不工作

Question

我在註冊時使用密碼鹽來哈希用戶的密碼，也使用登錄相同的方法，但它總是顯示我不正確的密碼，請有人可以告訴我什麼是錯誤。 如果我刪除密碼salt它將工作正常，但我需要確保密碼。

這裏是我的註冊碼

<?php 

include($root . 'database_connection.php'); 
if (isset($_POST['formsubmitted'])) { 
    $username = $_POST['username']; //else assign it a variable 
    $email = $_POST['email']; 
    $password = $_POST['password']; 

     $salt = "@g26jQsG&nh*&#8v"; 
     $passcode = sha1($password.$salt); 
     $name = $username; 
     $pass = $passcode; 
     $mail = $email; 
     $query_insert_user = "INSERT INTO `users` (`username`, `password`, `email`, `active`) VALUES ('$name', '$pass', '$mail', '$numbers')"; 

      $result_insert_user = mysqli_query($db_conn, $query_insert_user); 
      if (!$result_insert_user) { 
       echo 'Query Failed '; 
      } 

    mysqli_close($db_conn); //Close the DB Connection 

} // End of the main Submit conditional. 

?> 

登錄頁面

<?php 

     if ($_POST) { 

      $salt = "@g26jQsG&nh*&#8v"; 
      $password = sha1($_POST['password'].$salt); 

      $logdb = new PDO('mysql:host=localhost;dbname=userdb', 'root', 'pass'); 
      $logdb->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
      $stmt = $logdb->prepare("SELECT * FROM users WHERE username=:username AND password=:password"); 
      $stmt->bindParam(":username", $_POST['username']); 
      $stmt->bindParam(":password", $password); 
      $stmt->execute(); 

     $atributes = $stmt->fetch(PDO::FETCH_OBJ); 
     if ($atributes) { 
      session_start(); 

      $username = $atributes->username; 
      $_SESSION['username'] = $username; 
      $active = $atributes->active; 
      $email = $atributes->email; 
    if($active==0){ 
    echo '<table><td width="50px" valign="top"><i class="fa fa-ban mail2"></i></td><td><div>Authentication Error! Your account is not verified please verify your email.<br/> 
    <small>Need more help? Please contact the systems administrator.</small></div></td></table>';} 
    else{ 
      header("location: index.php"); 
    } 

      } else { 
      header("location: login.php?else=0&n"); 
       //incorrect 
      } 

     } 

      else { 
     header("location: login.php?false=1&n"); 
       echo '<form name="login" action="" method="POST"> 
      Username: <br /> 
      <input type="text" name="username"/><br /> 
      Password: <br /> 
      <input type="password" name="password"/><br /> 
      <button type="submit">Login</button> 
      <a href="signup.php">Register</a></form>'; 


      } 
     $logdb=null; 
    ?> 

Answer 1

PHP提供的密碼哈希和驗證的本地支持。請使用password_hash()功能，因爲它更安全，易於使用。它可以選擇使用鹽。

請參閱

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

SHA1是一個妥協的算法，如果任何人知道你的鹽，他就能破密碼。

註冊碼將改變：在註冊過程中

$passcode = password_hash($password, PASSWORD_DEFAULT); // leave the salt as this function will automatically generate a secure one for you 
    $name = $username; 
    $pass = $passcode; 

登錄代碼

// Please get user's password as hash in $password_hash and plain text password from user. Then use password_verify function (native function) to verify the password 
if(password_verify($_POST['password'] , $password_hash) 
{ 
    // correct password 
} 
else 
{ 
    // wrong password 
} 

Answer 2

我使用的密碼鹽加密用戶密碼

No you're not。你的代碼說：

$salt = "@g26jQsG&nh*&#8v"; 
$passcode = sha1($password.$salt); 

SHA1不加密，它是一個散列函數。 散列不是加密。

散列是一個單向函數，它接受無限多的可能值並將它們映射到有限數量的值，這樣就很難從有限值返回到無限值的對應值。

這也是一種非常不安全的存儲密碼的方式。參見：How to safely store a password。 （對方回答是正確的：使用password_hash()和password_verify()）

此外：

$username = $_POST['username']; //else assign it a variable 
$email = $_POST['email']; 
$password = $_POST['password']; 
// SNIP // 
$query_insert_user = "INSERT INTO `users` (`username`, `password`, `email`, `active`) VALUES ('$name', '$pass', '$mail', '$numbers')"; 

你的註冊碼是不安全的。你可能想學習how to prevent SQL injection。而application security in general就是這個問題。