问题:
当我运行此代码时,它会在错误解密和无效密钥长度之间交替出现。
(我在服务器上使用诸如
之类的输入运行代码test.php?电子邮件=ted.tester@hotmail.com&password=你好
代码:
<?php
session_start();
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 2592000)) {
session_destroy();
session_start();
}
$_SESSION['LAST_ACTIVITY'] = time();
$mysqli = new mysqli('127.0.0.1', 'php', 'password', 'pizzaprogramming');
if($mysqli->connect_errno){
print("Our Database is currently down, try again later.");
throw new Exception($mysqli->connect_errno);
}
function login() {
global $mysqli;
//REQUIRES Cookies, mysql database, and more.
/*
Set Variables
*/
$IV = (empty($_COOKIE["IV"]))?openssl_random_pseudo_bytes(16):$_COOKIE["IV"];
$email = empty($_COOKIE["email"])?$_REQUEST["email"]:$_COOKIE["email"];
if (!$hash = $mysqli->query("SELECT user_hash FROM users WHERE user_email='".$mysqli->real_escape_string($email)."';")) {
print("Sorry, we are experiencing technical difficulties");
throw new Exception("Sorry, we are experiencing technical difficulties");
}
else if ($hash->num_rows === 0) {
print "Incorrect Username";
throw new Exception("Incorrect Username");
}
else {
$hash_result = $hash->fetch_assoc();
}
if (is_null($hash_result["user_hash"])) {
print "Database Error";
throw new Exception("HASH ERROR");
}
$key = hash("sha256", $email);
var_dump($key);
if(empty($_SESSION["AES"])) {
if (empty($_REQUEST["password"])) {
throw new Exception("Empty Password.");
}
else {
$aes_result = openssl_encrypt($pass,"AES-256-CBC",$key,OPENSSL_RAW_DATA,$IV);
print "hello";
}
}
else {
$aes_result = base64_decode($_SESSION["AES"];
}
$aes_result = base64_encode($aes_result);
$_SESSION["AES"] = $aes_result;
$hash = $hash_result["user_hash"];
setcookie("IV", $IV, time()+2592000);
setcookie("email", $email, time()+2592000);
print "<marquee>Hello " . htmlspecialchars($email) . "</marquee>";
print "<p>Hash: " . $hash . "</p>";
print "<p>AES: " . $aes_result . "</p>";
print " " . var_dump(openssl_decrypt(base64_decode($aes_result),"AES-256-CBC",$key,OPENSSL_RAW_DATA, $IV));
print " " . openssl_error_string();
//implement database storage
if(password_verify(openssl_decrypt(base64_decode($aes_result),"AES-256-CBC",$key,OPENSSL_RAW_DATA, $IV),$hash)){
echo "THIS IS SPARTA";
}
if($_REQUEST["hash"]!="" and $_REQUEST["password"]!=""){
echo "<p>Hash Verifies: ". htmlspecialchars(password_verify($_REQUEST["password"], $_REQUEST["hash"])?"True":"False") . "</p>";
}
else {
echo "<p> Make sure you have both hash and pass set in order to verify hashes. </p>";
}
}
login();
session_write_close();
?>
<p> Hello </p>
$key = hash("sha256", $email);
提供64个字符的字符串,但AES仅支持16、24和32字节的密钥。您可能希望使用原始输出:$key = hash("sha256", $email, true);
。
然后您忘记在使用$pass = $_REQUEST["password"]
之前设置它。