使用crypt哈希密码无法在登录名上显示错误密码

本文介绍了使用crypt哈希密码无法在登录名上显示错误密码的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有一个注册页面，允许用户插入密码，因此我需要对其进行哈希处理以使其在数据库中变得更加安全，

I have a register page that allow user to insert password so i need to hash it to become more secure in the database this work fine

但是在登录时，输入的密码与注册人不匹配，该怎么解决此问题mm

but when it come to the login the entered password do not match the register one how to fix this problemmm

这是我第一次使用哈希，因此它无法按我的意愿工作

this is my first time to use hash so it did not work as i want

这是哈希的注册代码:

//ADD MD5 hash to the password function cryptPass($input, $rounds = 9) { $salt = ""; $saltChars = array_merge(range('A','Z'), range('a','z'), range('0','9')); for($i = 0; $i<22; $i++) { $salt .=$saltChars[array_rand($saltChars)]; } return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt); } $hashedpass = cryptPass($pass1); echo $hashedpass;

哈希密码= $ 2y $ 09 $ test $ 5I9x8HWhA4UHi5TMu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

the hashing password = $2y$09$test$5I9x8HWhA4UHi5TMu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

这是哈希的登录代码:

function cryptPass($input, $rounds = 9) { $salt = ""; $saltChars = array_merge(range('A','Z'), range('a','z'), range('0','9')); for($i = 0; $i<22; $i++) { $salt .=$saltChars[array_rand($saltChars)]; } return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt); } $hashedpass = cryptPass($pass); echo $hashedpass;

哈希密码= $ 2y $ 09 $ test $ 4ZGgCiXdKzgQvuzwu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

the hashing password = $2y$09$test$4ZGgCiXdKzgQvuzwu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

推荐答案

注册后，您将创建一个唯一的盐.这种盐现在是哈希的一部分.如果仔细观察，您会发现它嵌入在哈希的第一部分.要检查密码，请使用以前的哈希密码盐，因此您将再次使用相同的盐.

Upon registration you create a unique salt. That salt is now part of the hash. If you look closely, you'll see it's embedded in the first part of the hash. To check the password, use the previous hashed password's salt, so you're using the same salt again.

$correctPasswordHash = getPasswordFromDatabase($_POST['username']); $hash = crypt($_POST['password'], $correctPasswordHash); if ($correctPasswordHash === $hash) ...

要使此操作更轻松，更简单，请使用 password_compat库，它将其包装在一个简单的文件中使用API​​，该API也将集成到PHP的未来版本中.检查其源代码是否正确使用crypt，因为您需要注意一些陷阱. password_compat库还使用自定义二进制比较而不是简单的===来阻止计时攻击.

To make this easier and more foolproof, use the password_compat library, which wraps this in an easy to use API, which will also be integrated into a future version of PHP. Inspect its source code for the correct usage of crypt, since there are some pitfalls you need to take care of. The password_compat library is also using a custom binary comparison instead of a simple === to thwart timing attacks.