所以我正在重写我的注册页面和登录页面,我试图将密码存储为hash('sha256')
而不是md5()
。存储哈希密码的工作完全正常,但它不会让我登录。我很累,我害怕我错过了什么。我必须解决这个问题才能让我上床睡觉。欢迎任何帮助!
这是我的登录处理文件:
include 'db_connect.php';
include 'functions.php';
sec_session_start();
if(isset($_POST['login'], $_POST['password'])) {
//Data form
$email = safe($mysqli,$_POST['email']);
$password = safe($mysqli,$_POST['password']);
$getSalt = mysqli_query($mysqli,"SELECT salt FROM members WHERE email = '$email';");
if (!$getSalt) {
$errorMsg = 'Invalid query: ' . mysqli_error() . "\n";
die($errorMsg);
}
$row = mysqli_fetch_assoc($getSalt);
$salt = $row['salt'];
//Find user
$saltedPW = $password . $salt;
$hashedPW = hash('sha256', $saltedPW);
$findUser = mysqli_query($mysqli,"SELECT * FROM members WHERE email = '$email' AND password = '$hashedPW'");
$count = mysqli_num_rows($findUser);
if($count == 1) {
session_register("email");
session_register("password");
header("Location: loggedin.php");
} else {
echo "Wrong username and/or password";
}
}
我缺少什么:(
编辑,这是我的注册处理页面:
<?php
include 'db_connect.php';
$errorMsg = "";
if(isset($_POST['register'])) {
//Data van het form
$email = mysqli_real_escape_string($mysqli,$_POST['email']);
$password = mysqli_real_escape_string($mysqli,$_POST['password']);
$rePassword = mysqli_real_escape_string($mysqli,$_POST['re_password']);
//Check if all the fields are filled in
if ($email == NULL || $password == NULL || $rePassword == NULL) {
$errorMsg = 'Please fill in all the fields';
die($errorMsg);
}
//Check if email already exist in the db
$checkEmail = mysqli_query($mysqli,"SELECT * FROM members WHERE email = '$email'");
if (mysqli_num_rows($checkEmail) > 0){
$errorMsg = 'Emailadres is already registered';
die($errorMsg);
}
//Check if the passwords are matching
if ( $password == $rePassword ) {
//If they do match, create a hashpw + salt
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$saltedPW = $password . $salt;
$hashedPW = hash('sha256', $saltedPW);
}
//Add the user to the table
if (empty($errorMsg)) {
$addUser = mysqli_query($mysqli,"INSERT INTO members (email, password, salt) values ('$email', '$hashedPW', '$salt') ");
echo "User has been created";
} else {
$errorMsg = 'Error. The user has NOT been created';
die($errorMsg);
}
}
?>
编辑#2 - 登录问题已修复。 正如Jamie注意到的那样,我在登录处理文件中使用了safe函数,并在寄存器文件中使用了整个转义字符串。我已经通过添加$ mysqli来编辑函数abit,这对我有用。
function safe($mysqli,$value) {
return mysqli_real_escape_string($mysqli,$value);
}
我目前面临的唯一“问题”是重定向页面(由于session_register()函数已被$ _SESSION替换,因此应该保护直接访问它而没有登录的人员)。不知何故,我编辑的受保护页面无效。我一醒来就会调查它。
感谢您的帮助! :-D