问题描述
我有一个网站,我在其中使用bcrypt编程注册/登录系统.我已将带有哈希密码的注册详细信息成功插入数据库中.我的问题是如何使用此哈希密码对用户进行身份验证.以下是我使用的代码:
I have a site where i'm programming a registration/login system with bcrypt. I have successfully inserted the registration details with the hashed password into the database. My problem is how to authenticate the user using this hashed password. Below are the codes i used:
注册操作:
<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Registration Action</title>
</head>
<font face="arial">
<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
//echo "Correct Code Entered";
//Do req stuff
$host="host"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="db"; // Database name
$tbl_name="tbl"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
$myemail=mysql_real_escape_string($_POST['myemail']);
$mysecrquest=mysql_real_escape_string($_POST['mysecrquest']);
$mysecransw=mysql_real_escape_string($_POST['mysecransw']);
$mypassword_rep=mysql_real_escape_string($_POST['mypassword_rep']);
$myemail_rep=mysql_real_escape_string($_POST['myemail_rep']);
$mysecransw_rep=mysql_real_escape_string($_POST['mysecransw_rep']);
$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
//validate input
if (( !empty($myusername) && !empty($mypassword) && !empty($myemail) && !empty($mysecrquest) && !empty($mysecransw) )
&& (($mypassword_rep==$mypassword)&&($myemail_rep==$myemail)&&($mysecransw_rep==$mysecransw)))
{
// Insert data into mysql
$sql="INSERT INTO $tbl_name(username, salt, password, email, secrquest, secransw)VALUES('$myusername', '$salt', '$encpass', '$myemail', '$mysecrquest',
'$mysecransw')";
$result=mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
echo "<center><font color='green'>Congratulations! Your registration was Successful</font></center>";
echo "<BR>";
echo "<center><a href='somepage.php'>Somepage</a></center>";
}
}
else {
echo "<center><font color='red'>You have one or more invalid entries: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}
}
else {
echo "<center><font color='red'>Wrong Captcha: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}
?>
<?php
// close connection
//mysql_close();
?>
</font>
</html>
<? ob_flush();//Flush buffer output ?>
登录操作:
<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Login Action</title>
</head>
<font face="arial">
<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered</font>";
//Do req stuff
$host="host"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="db"; // Database name
$tbl_name="tblx"; // Table name
$tbl_name2="tbl"; // Table name 2
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername'";
$result2=mysql_query($sql2);
$row=mysql_fetch_assoc($result2);
//$count=mysql_num_rows($result2);
// If result matched $myusername and $mypassword, table row must be 1 row
//if($count==1)
//$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
if ($encpass == $row['password'])
{
session_start();
$_SESSION['myusername'] = $myusername;
header ("Location: memberspage.php");
}
else {
echo "<center><font color='red'>Invalid Login Details. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";
echo "<center><a href='loginpage.php'>Back</a></center>";
}
}
else {
echo "<center><font color='red'>Wrong Captcha. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";
echo "<center><a href='loginpage.php'>Back</a></center>";
}
?>
<?php
// close connection
//mysql_close();
?>
</font>
</html>
<? ob_flush();//Flush buffer output ?>
感谢您的帮助.谢谢.
推荐答案
我建议使用PHP的内置password_xxx()
函数.明确设计这些密码是为了使使用bcrypt哈希密码的密码更容易使用.除了调用 password_verify()
之外,您无需考虑其他任何事情在创建帐户时检查登录尝试和 password_hash()
.容易.
I suggest using PHP's built-in password_xxx()
functions. These are explicitly designed to make it easy to work with passwords hashed using bcrypt. You don't need to think of anything other than calling password_verify()
to check a login attempt and password_hash()
when creating an account. Easy.
到目前为止,这是在PHP中使用密码的最简单方法.
That's by far the easiest way of working with passwords in PHP.
请注意,这些功能仅在最新的PHP版本(v5.5)中可用.但是,有一个您可以下载的向后兼容性库,使它们在当前所有受支持的版本中的工作方式完全相同PHP(即v5.3和5.4).
Note that these functions are only available in the latest PHP version (v5.5). However there is a backward compatibility library you can download that makes them work exactly the same in all currently supported versions of PHP (ie v5.3 and 5.4).
希望有帮助.
这篇关于验证使用Bcrypt密码登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!