PHP MySQL PDO登录/注册系统通过PBKDF2加密不会登录

由于某些原因，我正在使用特定的加密(PBKDF2(。我现在正在建立网站，我的登录系统有问题。注册页面工作非常理想。

当我尝试登录时，密码仍然不匹配，我没有任何错误输出

这是我的注册。php：

<?php
require '../global.php';
$pdo = New Database();
$account->IPisBanned($_SERVER['REMOTE_ADDR']);
$account->isConnected();
if(!empty($_POST['username']) AND !empty($_POST['email']) AND !empty($_POST['password']) AND !empty($_POST['password_confirmation'])) {
$bdd = $pdo->query('SELECT id FROM users WHERE username = ?', [$core->F_HTML($_POST['username'])]);
if($bdd->rowCount() == 0) {
if(preg_match('`^([a-zA-Z0-9-=?!@]{3,15})$`', $core->F_HTML($_POST['username']))) {
$bdd2 = $pdo->query('SELECT id FROM users WHERE email = ?', [$core->F_HTML($_POST['email'])]);
if($bdd2->rowCount() == 0) {
if(filter_var($core->F_HTML($_POST['email']), FILTER_VALIDATE_EMAIL)) {
if($_POST['password'] == $_POST['password_confirmation']) {
if(strlen($_POST['password']) >= 6 AND strlen($_POST['password_confirmation']) >= 6) {
$iterations = 10000;
$length = 40;
$secret = "at_least_16_byte";
$salt = $secret.$_POST['username'];
$hash = hash_pbkdf2("sha1", $_POST['password'], $salt, $iterations, $length);
$hash = strtoupper($hash);
$bdd3 = $pdo->query('INSERT INTO users (username, password, mail, account_created, ip_reg) VALUES (?, ?, ?, ?, ?)', [$core->F_HTML($_POST['username']), $core->F_HTML($hash), $core->F_HTML($_POST['email']), time(), $_SERVER['REMOTE_ADDR']]);
$_SESSION['id'] = $pdo->lastInsertId();
echo 'success';
} else {
echo 'Passwords does not match.';
}
} else {
echo 'Password too short.';
}
} else {
echo 'Invalid email address.';
}
} else {
echo 'This Email is already used by another account.';
}
} else {
echo 'Invalid username.';
}
} else {
echo 'Username already in use.';
}
} else {
echo 'Required fields are emtpy.';
}
?>

这是我的登录名.php：

<?php
require '../global.php';
$pdo = New Database();
$account->IPisBanned($_SERVER['REMOTE_ADDR']);
$account->isConnected();
if(!empty($_POST['username']) AND !empty($_POST['password'])) {
$bdd = $pdo->query('SELECT * FROM users WHERE username = ?', [$core->F_HTML($_POST['username'])]);

$iterations = 10000;
$length = 40;
$secret = "at_least_16_byte";
$salt = $secret.$_POST['username'];
$hash = hash_pbkdf2("sha1", $_POST['password'], $salt, $iterations, $length);
$hash = strtoupper($hash);

if($bdd->rowcount() == 1) {
$req = $bdd->fetch();
if(password_verify($hash, $req['password'])) {
$account->UserisBanned($core->F_HTML($_POST['username']));
$_SESSION['id'] = $req['id'];
$account->Update($_SESSION['id']);
echo 'success';
} else {
echo 'The password is incorrect.';
}
} else {
echo 'The username does not exist.';
}
} else {
echo 'The required fields are empty.';
}
?>

我非常困惑，我花了几个小时试图解决这个问题，但我真的做不到
感谢您抽出时间：(

password_verify似乎希望第一个参数是用户的纯文本密码。

试试这个：

password_verify($_POST['password'], $req['password'])

注意：这意味着您可能还需要删除strtoupper。

https://www.php.net/manual/en/function.password-verify.php

请注意，password_hash((返回算法、成本和salt返回哈希的。因此验证哈希是否包含在其中。这允许验证函数在不需要单独存储盐或算法信息。

/**
* (PHP 5 &gt;= 5.5.0, PHP 5)<br/>
*
* Checks if the given hash matches the given options.
* @link https://secure.php.net/manual/en/function.password-verify.php
* @param string $password The user's password.
* @param string $hash A hash created by password_hash().
* @return boolean Returns TRUE if the password and hash match, or FALSE otherwise.
* @since 5.5.0
*/
function password_verify ($password, $hash) {}

如果你不想这样做，你可以放弃`password_verify`，然后做：

`if ($hash === $req['password'])`

#!/usr/local/bin/php
<?php 
//================================================================
//PBKDF2 generator for PBKDF2 hashed password log in.eg, mosquitto auth-plug
//  I got this generator from somewhere online.. credit go to original writer.. 
//  I research again and again to got loging in Mosquitto server.
//  Use this generator to generate password earlier or use in register.php


function password_hash($password, $salt = '', $algo = 'sha256', $iterations = 901, $key_len = 24, $salt_len = 12)
{ 
//salt len is 12  , ajust your own


$salt = 'pN94c3+KCcNvIV1v'; //I added for my own, to use php login. salt is need to be contant all the time
if($salt=='') $salt = base64_encode(openssl_random_pseudo_bytes($salt_len));
$key = base64_encode(openssl_pbkdf2($password, $salt, $key_len, $iterations, $algo));
return sprintf("PBKDF2$%s$%d$%s$%sn",
$algo,
$iterations,
$salt,
$key);
}
$password = trim($argv[1]);
if(function_exists('readline'))
{
while($password=='')
{
$password = trim(readline('Enter password: '));
}
}
else
{
$handle = fopen ("php://stdin","r");
while($password=='')
{
echo 'Enter password: ';
$password = trim(fgets($handle));
echo chr(10);
}
fclose($handle);
}
echo 'PBKDF2 password generator for Mosquitto auth plugin [https://github.com/jpmens/mosquitto-auth-plug]',chr(10);`enter code here`
echo 'Encoding password = ',$password,chr(10);
echo mqtt_hash($password),chr(10);
?>
//==========================================================================
//  and verify with this pattern in login.php and register php
//  I wrote php script to use above sample function
// php code
<?php
include 'get_hash.php';
$username = $_GET['username'];
$plain_password = $_GET['password'];
$password = trim(get_hash($plain_password)); //trim white space
$Sql_Query = "select * from tblusers where username = '$username'";
$result = mysqli_query($con,$Sql_Query);
if (mysqli_num_rows($result)>0)
{

$row = mysqli_fetch_assoc($result); 
if ($password == $row['pw']){

$status = "ok";

}
else
{
$status = "failed";  

}
}
?>

get_hash.php
<?php
// can use login.php and register.php
function get_hash($password, $salt = '', $algo = 'sha256', $iterations = 901,           $key_len = 24, $salt_len = 12)
{
$salt = 'pN94c3+KCcNvIV1v';
if($salt=='') $salt = base64_encode(openssl_random_pseudo_bytes($salt_len));
$key = base64_encode(openssl_pbkdf2($password, $salt, $key_len, $iterations,     $algo));
return sprintf("PBKDF2$%s$%d$%s$%sn",
$algo,
$iterations,
$salt,
$key);
}
?>

如果你不想这样做，你可以放弃`password_verify`，然后做：

相关内容

最新更新

热门标签：

PHP MySQL PDO登录/注册系统通过PBKDF2加密不会登录

如果你不想这样做，你可以放弃password_verify，然后做：

相关内容

最新更新

热门标签：

如果你不想这样做，你可以放弃`password_verify`，然后做：