我现在是一名学生,我渴望成为一名优秀的开发人员。我目前正在练习如何正确加密和散列数据到数据库。
这是我目前的实施:
login_index.php
<?php
//Takes a password and returns the salted hash
//$password - the password to hash
//returns - the hash of the password (128 hex characters)
function HashPassword($password)
{
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
$hash = hash("sha256", $salt . $password); //prepend the salt, then hash
//store the salt and hash in the same string, so only 1 DB column is needed
$final = $salt . $hash;
return $final;
}
//Validates a password
//returns true if hash is the correct hash for that password
//$hash - the hash created by HashPassword (stored in your DB)
//$password - the password to verify
//returns - true if the password is valid, false otherwise.
function ValidatePassword($password, $correctHash)
{
$salt = substr($correctHash, 0, 64); //get the salt from the front of the hash
$validHash = substr($correctHash, 64, 64); //the SHA256
echo $salt ." salt" ."<br/> ";
echo $validHash . " hash " ."<br/> ";
echo $correctHash . " password " ."<br/> ";
$testHash = hash("sha256", $salt . $password); //hash the password being tested
//if the hashes are exactly the same, the password is valid
return $testHash === $validHash;
}
?>
<?php
include 'login_config.php';
if(isset($_POST['login']))
{
$password = $_POST['password'];
$email = $_POST['email'];
$Get_User = "Select * From users Where Email = '$email'";
$hashed_password = "";
$result = mysql_query($Get_User);
if(mysql_num_rows($result) > 0)
{
while($row = mysql_fetch_array($result))
{
$hashed_password = $row['password'];
}
}
$valid = ValidatePassword($password,$hashed_password);
if($valid)
{
echo "<br/>";
echo "Yes,Login successful";
}
else
{
echo "<br/>";
echo "Oops,Wrong Email or Password";
}
}
?>
<form action="" method="post">
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="login" />
</form>
login_create.php
<form action="" method="post">
Firstname: <input type="text" name="fname" /><br />
Lastname: <input type="text" name="lname" /><br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="save" />
</form>
<?php
include 'login_config.php';
function HashPassword($password)
{
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
$hash = hash("sha256", $salt . $password); //prepend the salt, then hash
//store the salt and hash in the same string, so only 1 DB column is needed
$final = $salt . $hash;
return $final;
}
if(isset($_POST['save']))
{
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$password = HashPassword($_POST['password']);
$insert = "Insert Into users (Fname,Lname,Email,Password) Values ('$fname','$lname','$email','$password')";
$query = mysql_query($insert);
}
?>
</form>
我想知道如何进一步改进我目前的实施,以便我进一步发展我的技能,同时向专家/专业人士学习。我是否至少以某种方式正确实现了散列?
先生/女士,您的回答将会有很大的帮助,非常感谢。谢谢++