php - 使用 Bcrypt 密码验证登录

标签 php mysql

我有一个网站,我正在使用 bcrypt 编写注册/登录系统。我已经成功地将带有散列密码的注册详细信息插入到数据库中。我的问题是如何使用此散列密码对用户进行身份验证。以下是我使用的代码:

注册 Action :

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Registration Action</title>
</head>
<font face="arial">

<?php

session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
//echo "Correct Code Entered";
//Do req stuff







$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tbl"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
$myemail=mysql_real_escape_string($_POST['myemail']);
$mysecrquest=mysql_real_escape_string($_POST['mysecrquest']);
$mysecransw=mysql_real_escape_string($_POST['mysecransw']);
$mypassword_rep=mysql_real_escape_string($_POST['mypassword_rep']);
$myemail_rep=mysql_real_escape_string($_POST['myemail_rep']);
$mysecransw_rep=mysql_real_escape_string($_POST['mysecransw_rep']);

$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);

$encpass = crypt($mypassword, $salt);

//validate input
if (( !empty($myusername) && !empty($mypassword) && !empty($myemail) && !empty($mysecrquest) && !empty($mysecransw) )
&& (($mypassword_rep==$mypassword)&&($myemail_rep==$myemail)&&($mysecransw_rep==$mysecransw)))
{
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, salt, password, email, secrquest, secransw)VALUES('$myusername', '$salt', '$encpass', '$myemail', '$mysecrquest', 

'$mysecransw')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
echo "<center><font color='green'>Congratulations! Your registration was Successful</font></center>";
echo "<BR>";
echo "<center><a href='somepage.php'>Somepage</a></center>";
}
}

else {
echo "<center><font color='red'>You have one or more invalid entries: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}


}
else {
echo "<center><font color='red'>Wrong Captcha: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}

?> 



<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

登录操作:

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Login Action</title>
</head>

<font face="arial">

<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered</font>";
//Do req stuff





$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tblx"; // Table name 
$tbl_name2="tbl"; // Table name 2

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);

// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername'";
$result2=mysql_query($sql2);

$row=mysql_fetch_assoc($result2);

//$count=mysql_num_rows($result2);

// If result matched $myusername and $mypassword, table row must be 1 row
//if($count==1)

//$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
if ($encpass == $row['password'])
             {
session_start();             
$_SESSION['myusername'] = $myusername;
header ("Location: memberspage.php");

             }

else {
echo "<center><font color='red'>Invalid Login Details. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}


}

else {
echo "<center><font color='red'>Wrong Captcha. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}
?>


<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

感谢任何帮助。谢谢。

最佳答案

我建议使用 PHP 的内置 password_xxx() 函数。这些是明确设计的,可以轻松处理使用 bcrypt 散列的密码。除了调用 password_verify() 之外,您无需考虑任何其他事情。检查登录尝试和 password_hash()创建帐户时。很简单。

这是迄今为止在 PHP 中使用密码的最简单方法。

请注意,这些功能仅在最新的 PHP 版本 (v5.5) 中可用。但是有一个 backward compatibility library you can download这使得它们在所有当前支持的 PHP 版本(即 v5.3 和 5.4)中完全相同。

希望对您有所帮助。

关于php - 使用 Bcrypt 密码验证登录,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17785968/

上一篇:php - 使用索引 INT 或索引 TIMESTAMP 更快地在大表中进行 MySQL SELECT

下一篇:java - 用 Java 读取 MySQL binary(16) UUID

相关文章:

php mysql 插入、删除或更新

mysql - 改进 MySQL 查询

php - SQL 查询没有使用 DATE_FORMAT 方法重新格式化 PHP 文件上的日期?

javascript - php 在发布时在变量末尾丢失了+(加号)

php - 在网络应用程序中,给日志文件 ".txt"后缀是否明智?

mysql - 返回mysql中所有匹配和不匹配的值

php - 多个计数和求和 MySQL 函数在 MySQL 结果中使用多个联接返回错误值

php - 如何在 Yii 中实现 CArrayDataProvider

MYSQL 选择表名和列名

Mysql - 按列选择最高值

©2024 IT工具网  联系我们