请快速检查这个 PHP + SALT 实施 - 不起作用?
以教程为基础,使用 salt 实现基本的用户注册+登录系统。目前我在注册阶段使用它:
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
$newpass = generateHash($_POST['newpass']);
followed by:
$sql = "INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass'), ... etc"
效果很好。
我现在想要比较输入密码以检查是否相等(在单独的访问控制文件中):
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt)
{
$salt = substr($salt, 0, SALT_LENGTH);
return $salt . sha1($salt . $plainText);
}
$sql = "SELECT password FROM user WHERE
userid = '$uid'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
$comparepwd = generateHash($pwd, $row['password']);
if (mysql_num_rows($result) == 0 || $comparepwd != $row['password']) {
//access denied, unset session variables
}
原则上我相信这应该可行。我对 PHP/MySQL 相当陌生,所以如果您能就它不起作用的原因提出建议,我将非常感激。非常感谢!
编辑:刚刚意识到,是因为
INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass')
PASSWORD('$newpass') 做了进一步的 MySQL 操作吗?
Building on tutorials out there to implement a basic user sign up + log in system with salt. At the moment I'm using this for the sign up stage:
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
$newpass = generateHash($_POST['newpass']);
followed by:
$sql = "INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass'), ... etc"
This works fine.
I now want to compare input password to check for equality (in a seperate access control file):
define('SALT_LENGTH', 9);
function generateHash($plainText, $salt)
{
$salt = substr($salt, 0, SALT_LENGTH);
return $salt . sha1($salt . $plainText);
}
$sql = "SELECT password FROM user WHERE
userid = '$uid'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
$comparepwd = generateHash($pwd, $row['password']);
if (mysql_num_rows($result) == 0 || $comparepwd != $row['password']) {
//access denied, unset session variables
}
In principle I believe this should work. I am fairly new with PHP/MySQL so I would be extremely grateful if you could advise on why it isn't working. Thanks very much!
EDIT: Just realised, is it because
INSERT INTO user SET
userid = '$_POST[newid]',
password = PASSWORD('$newpass')
the PASSWORD('$newpass') does further MySQL hasing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,密码函数是一种单向哈希,您不应该真正使用它!
http://dev.mysql.com/doc/refman /5.0/en/cryption-functions.html#function_password
Yes, the password function is a one-way hash and you shouldn't be using it really!
http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_password