1. 首頁
  2. 問答
  3. 從數據庫返回散列密碼字符

從數據庫返回散列密碼字符

2012-07-24 75 views
0

我最近設置了自己的專用服務器並安裝了編寫PHP PHP等所需的所有內容。但是,我從我的密碼中返回加密密碼時似乎遇到了問題的MySQL數據庫,我不能告訴我們,如果這件事情與我PHP配置還是它的東西與我的的MySQL配置。基本上所發生的事情是,當我使用PDO從它失去某些字符數據庫返回的加密密碼,所以當PHP去比較用戶與在它拋出的數據庫中保存的密碼登錄時輸入加密密碼一個錯誤。從數據庫返回散列密碼字符

下面是一個例子:

加密後,由用戶輸入的密碼: #7" 8wŖQE4YW6'u

從數據庫返回的密碼:?#7 ??「????? 8w?QE ?? 4YW?6?'?? u?

' '字符似乎正在變成'?'人物:S

我檢查密碼在的phpMyAdmin,看它是否被遺漏了某些字符,但密碼匹配,這樣的東西是介於兩者之間會黑麥,而且我不確定它是否到使用PHP設置或MySQL

這裏是我的腳本:

哈希和鹽腳本(modules.php):

<?php 


     /* Initialises the username variable. */ 
     $username = $_SESSION['username']; 

     /* If the user has changed their details then this block of code will make the changes to the database. 
     if(isset($_POST['detailsChanged']) == 1) 
     { 

      $statement = $conn -> prepare("UPDATE people SET Firstname = :firstname, Surname = :surname, Email = :email WHERE Username = :username "); 

      $statement->bindParam(':firstname', $_POST['Firstname'], PDO::PARAM_INT); 
      $statement->bindParam(':surname', $_POST['Surname'], PDO::PARAM_INT); 
      $statement->bindParam(':email', $_POST['Email'], PDO::PARAM_INT); 
      $statement->bindParam(':username', $username, PDO::PARAM_INT); 
      $statement->execute(); 

     }*/ 

     if(isset($_SESSION["passed"]) == 1) 
     { 

      $statement = $conn->prepare("SELECT * FROM people WHERE username = '".$username."'"); 

      $statement->execute(); 

      $result = $statement->fetch(); 

      $firstname = $result['Firstname']; 
      $surname = $result['Surname']; 
      $username2 = $result['Username']; 

     } 
     function pbkdf2($p, $s, $c, $kl, $a = 'sha256') { 

      $hl = strlen(hash($a, null, true)); # Hash length 
      $kb = ceil($kl/$hl);    # Key blocks to compute 
      $dk = '';       # Derived key 

      # Create key 
      for ($block = 1; $block <= $kb; $block ++) { 

       # Initial hash for this block 
       $ib = $b = hash_hmac($a, $s . pack('N', $block), $p, true); 

       # Perform block iterations 
       for ($i = 1; $i < $c; $i ++) 

        # XOR each iterate 
        $ib ^= ($b = hash_hmac($a, $b, $p, true)); 

       $dk .= $ib; # Append iterated block 
      } 

      # Return derived key of correct length 
      return substr($dk, 0, $kl); 
     } 
?>

PDO初始化(出於安全原因刪除登錄名和密碼)(connection.php):

<?php 

$login = "*******"; 
    $password = "********"; 

    $dsn = "mysql:host=localhost;dbname=wishpiggy"; 
$opt = array(
    // any occurring errors wil be thrown as PDOException 
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, 
    // an SQL command to execute when connecting 
    PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'" 
); 

    $conn = new PDO($dsn, $login, $password); 
    $conn->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, "SET NAMES 'utf8'"); 
?>

登錄頁面:

<?php ob_start(); session_start(); include ('sql_connect/connection.php'); include('sql_connect/modules.php'); 

    //This section of code checks to see if the client is using SSL, if not 
    // if($_SERVER["HTTPS"] != "on") 
    // { 
    //  header("HTTP/1.1 301 Moved Permanently"); 
    //  header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); 
    //  exit(); 
    // } 

    //This if statement checks to see if the session variable 'username' is set, and if so it will redirect the user to their profile page. 

    if(isset($_SESSION["username"])) 
    { 
     header("Location: /home/"); 
    } 

?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 
    <title>Wish Piggy</title> 
    <link href="css/styles.css" rel="stylesheet" type="text/css" /> 
    <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script> 
    <script type="text/javascript" src="js/loginjs.js"></script> 
</head> 

<body> 

    <div class="index_div"> 
     <div class="logo"><img src="img/wish_piggy.jpg" alt="" /> 
     </div> 
     <div class="text"><span>89% Fulfilled</span> 
     </div> 
     <div class="bar"><img src="img/wish_piggy_bar.jpg" alt="" /> 
     </div> 
     <div class="text"> 
      <div class="text_l"><p>1,000,000 People</p> 
      </div> 
      <div class="text_r"><p>9,000,838 Wishes</p> 
      </div> 
     </div> 
     <div class="sign_in"><a id="show-panel" href="#"></a> 
     </div> 
    </div> 

    <div id="lightbox-panel"> 
     <form id="loginForm" name="form" action="index.php" method="post" > 
      <input name="submitted" type="hidden" value="1" /> 
      <div class="login_label"><img src="img/wish_piggy_login.jpg" alt="" /><a id="open_signin" href="#">SIGN UP HERE</a><p>Login</p><a id="close-panel" href="#"></a> 
      </div> 
      <div class="login_input"><input name="email" type="text" value="<?php if(isset($_COOKIE['username']) && $_COOKIE['username'] != ""){echo $_COOKIE['username']; $_SESSION["username"] = $_COOKIE['username']; $_SESSION["passed"] = 1; header("Location: /home/");}else{echo "Email";} ?>" onclick="this.value=''" /> 
      </div> 
      <div class="input_label"><span>(e.g. [email protected])</span> 
      </div> 
      <div class="login_input"><input name="password" type="password" value="Password" onclick="this.value=''" /> 
      </div> 
      <div class="input_label"><a href="#">Forgot Password</a> 
      </div> 
      <div class="login_submit"> 
       <div class="login_checkbox"><input name="remember" type="checkbox" value="" /> <span>Remember me</span> 
       </div> 
       <div class="login_submit_input"><input name="submit" type="submit" value=""/> 
       </div> 
      </div> 
     </form> 
    </div> 
    <div id="lightbox"></div> 

    <div id="lightbox-panel2"> 
     <div class="inner_lightbox2"><img src="img/wish_piggy_login.jpg" alt="" /><a id="close-panel2" href="#"></a> 
     </div> 
     <div class="signup_form"> 
      <form action="index.php" method="post"> 
       <input name="submitted" type="hidden" value="1" /> 
       <div class="signup_form_label"><span>Firstname:</span> 
       </div> 
       <div class="signup_form_input"><input name="firstname" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Surname:</span> 
       </div> 
       <div class="signup_form_input"><input name="surname" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Email:</span> 
       </div> 
       <div class="signup_form_input"><input name="email" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Confirm Email:</span> 
       </div> 
       <div class="signup_form_input"><input name="emailConfirm" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Password:</span> 
       </div> 
       <div class="signup_form_input"><input name="password" type="text" /> 
       </div> 
       <div class="signup_form_label"><span>Confirm Password:</span> 
       </div> 
       <div class="signup_form_input"><input name="passwordConfirm" type="text" /> 
       </div> 
       <div class="signup_form_label2"><img src="img/wish_piggy_captcha.jpg" alt="" /> 
       </div> 
       <div class="signup_form_input2"><input name="" type="text" /> 
       </div> 
       <div class="signup_form_submit"><input name="" type="button" value="register" /> 
       </div> 
      </form> 
     </div> 
    </div> 
    <?php 
     if(isset($_POST["submitted"]) == 1) 
     { 
      echo "caught data!"; 
      $email = $_POST["email"]; 
      $password = $_POST["password"]; 
      if($password == "") 
      { 
       die ("Your username or password is incorrect."); 
      } 

      $usernameValidated = 0; 

      $statement = $conn->prepare("SELECT password FROM users WHERE email = :name"); 
      $statement->bindParam(":name", $email); 
      $statement->execute(); 

      $passCompare = $statement->fetch(); 
      $passSubmitHashed = pbkdf2($password, "butterScotch", 1000, 32); 
      echo $passSubmitHashed; 
      echo " || "; 
      echo $password; 
      if($passSubmitHashed == $passCompare['password']) 
      { 
       $usernameValidated++; 
      } 
      echo "hurrdurr || " . $passCompare['password']; 
      if($usernameValidated == 0) 
      { 

       die("Your username or password is incorrect.."); 

      } 

     } 
     if(isset($_POST["submitted"]) == NULL || isset($usernameValidated) > 0) 
     { 
      echo "<style> #text_contents{display: none;}</style>"; 
     } 

     if(isset($usernameValidated) >= 1) 
     { 
      $_SESSION["username"] = $username; 
      $expiry = 60 * 60 * 6 + time(); 
      setcookie('username', $username, $expiry); 
      $_SESSION["passed"] = $_POST["submitted"]; 

      header("Location: /profile/"); 
     } 
     ob_end_flush(); 
    ?> 
    <div id="lightbox2"></div> 
    <?php ob_end_flush(); ?> 
</body> 
</html>

來源

2012-07-24 Conner Stephen McCabe

+0

你爲什麼不只是做一個雙PARAM選擇?比如「SELECT * FROM users WHERE email =:email AND password =:password」並將它傳遞給用戶輸入的哈希(檢查結果是否給出記錄數== 1)? – Onheiron 2012-07-24 14:24:49

+0

Onheiron我嘗試了你的建議,但它總是返回一條記錄,因爲它找到記錄的電子郵件,而不管密碼是否正確。 – 2012-07-24 14:53:56

回答

4

編碼簡單地使用base64_encode密碼(保存前,以及比較時):)

來源

2012-07-24 14:18:51

+0

收聽@GeoffreyBrier,不要在數據庫中放置純哈希,對其進行編碼然後解碼。 – Peon 2012-07-24 14:29:26

+0

這不是解決問題,散列不應該是****在第一位。如果他在任何地方正確設置字符集(文件,連接,數據庫等),首先應該沒有問題。 – Sherlock 2012-07-24 14:30:19

+0

是的,我正在使用這個散列,因爲它應該是最安全的,散列中的一點是你無法將其反轉。這與加密不同。 – 2012-07-24 14:32:49

相關問題

 相關問題