Php Salting和Hash函数不返回任何内容
我找到了一个脚本,其中包含盐分、散列和一些,但我的Php Salting和Hash函数不返回任何内容,php,hash,salt,Php,Hash,Salt,我找到了一个脚本,其中包含盐分、散列和一些,但我的$password在提交表单时会作为原始字符串返回。这似乎高于我的“工资等级”。。。我的目标是将脚本返回的salt、hash和其他输出插入到我的数据库中。我甚至不确定我在db(MYSQLi)中需要什么列值。脚本位于sql之前的if($valid): <?php if ($_SERVER["REQUEST_METHOD"] == "POST") {$valid = true; if (empty($_POST["password"])) {
$passwordif($valid)<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{$valid = true;
if (empty($_POST["password"]))
{$passwordErr = "Password must be set!"; $Epassword = "nope"; $valid = false;}
if (strpos($_POST["password"], " ") !== false)
{$passwordErr = "No spaces are allowed"; $Epassword = "nope"; $valid = false;}
if(strlen(utf8_decode($_POST['password'])) < 10 || strlen(utf8_decode($_POST['password'])) > 30)
{$passwordErr = "Password must be between 10 and 30 characters"; $Epassword = "nope"; $valid = false;}
$password = htmlspecialchars($_POST['password']);
$tod = date("Y-m-d H:i:s");
$setdate = date("Y-m-d H:i:s", strtotime("-4 hours", strtotime($tod)));
$today = date("Y-m-d", strtotime("-4 hours", strtotime($tod)));
}
if($valid){
/*
* Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm).
* Copyright (c) 2013, Taylor Hornby
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
// These constants may be changed without breaking existing hashes.
define("PBKDF2_HASH_ALGORITHM", "sha256");
define("PBKDF2_ITERATIONS", 1000);
define("PBKDF2_SALT_BYTE_SIZE", 24);
define("PBKDF2_HASH_BYTE_SIZE", 24);
define("HASH_SECTIONS", 4);
define("HASH_ALGORITHM_INDEX", 0);
define("HASH_ITERATION_INDEX", 1);
define("HASH_SALT_INDEX", 2);
define("HASH_PBKDF2_INDEX", 3);
function create_hash($password)
{
// format: algorithm:iterations:salt:hash
$salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
base64_encode(pbkdf2(
PBKDF2_HASH_ALGORITHM,
$password,
$salt,
PBKDF2_ITERATIONS,
PBKDF2_HASH_BYTE_SIZE,
true
));
}
function validate_password($password, $correct_hash)
{
$params = explode(":", $correct_hash);
if(count($params) < HASH_SECTIONS)
return false;
$pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
return slow_equals(
$pbkdf2,
pbkdf2(
$params[HASH_ALGORITHM_INDEX],
$password,
$params[HASH_SALT_INDEX],
(int)$params[HASH_ITERATION_INDEX],
strlen($pbkdf2),
true
)
);
}
// Compares two strings $a and $b in length-constant time.
function slow_equals($a, $b)
{
$diff = strlen($a) ^ strlen($b);
for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
{
$diff |= ord($a[$i]) ^ ord($b[$i]);
}
return $diff === 0;
}
/*
* PBKDF2 key derivation function as defined by RSA's PKCS #5: https://www.ietf.org/rfc/rfc2898.txt
* $algorithm - The hash algorithm to use. Recommended: SHA256
* $password - The password.
* $salt - A salt that is unique to the password.
* $count - Iteration count. Higher is better, but slower. Recommended: At least 1000.
* $key_length - The length of the derived key in bytes.
* $raw_output - If true, the key is returned in raw binary format. Hex encoded otherwise.
* Returns: A $key_length-byte key derived from the password and salt.
*
* Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt
*
* This implementation of PBKDF2 was originally created by https://defuse.ca
* With improvements by http://www.variations-of-shadow.com
*/
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false)
{
$algorithm = strtolower($algorithm);
if(!in_array($algorithm, hash_algos(), true))
trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
if($count <= 0 || $key_length <= 0)
trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);
if (function_exists("hash_pbkdf2")) {
// The output length is in NIBBLES (4-bits) if $raw_output is false!
if (!$raw_output) {
$key_length = $key_length * 2;
}
return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
}
$hash_length = strlen(hash($algorithm, "", true));
$block_count = ceil($key_length / $hash_length);
$output = "";
for($i = 1; $i <= $block_count; $i++) {
// $i encoded as 4 bytes, big endian.
$last = $salt . pack("N", $i);
// first iteration
$last = $xorsum = hash_hmac($algorithm, $last, $password, true);
// perform the other $count - 1 iterations
for ($j = 1; $j < $count; $j++) {
$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
}
$output .= $xorsum;
}
if($raw_output)
return substr($output, 0, $key_length);
else
return bin2hex(substr($output, 0, $key_length));
}
$sqli = @mysqli_connect("host", "db", "pass","empty");
if (mysqli_connect_errno($sqli)) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); }
mysqli_query($sqli, "INSERT INTO `table`(`password`) VALUES ('$password')");
?>
它必须将原始$password插入数据库,因为您不能从代码的开头到结尾更改$password。 一种方法是在代码的最后一行之前(在“mysqli_query(…”)之前)像这样调用“pbkdf2”函数:
使用PHP函数可以更轻松地解决此问题。此函数将返回一个60个字符的字符串,包括哈希、salt和成本因子,您可以将此字符串存储到数据库中的单个字段中。要对照存储的哈希进行检查,请使用此函数 在您的代码中,您也在检查某些条件,并使用htmlspecialchars()转义密码。这不是必需的,也不应该这样做,对密码唯一有意义的要求是最小长度。转义不是必需的,因为您将内容馈送到哈希函数,其输出将始终是安全的(不过,必须对SQL而不是HTML输出进行此操作。)PHP已经对$u POST中的变量进行了解码
if (!isset($_POST["password"]) || strlen($_POST["password"]) < 10)
{
// password is invalid show error message
}
if(!isset($_POST[“password”])| | strlen($_POST[“password”])<10)
{
//密码无效,显示错误消息
}
为避免误解,密码哈希始终在服务器端进行,因此密码将以明文形式在客户端和服务器之间传输。处理此问题的常用解决方案是使用HTTPS,SSL将在通过internet发送密码之前对密码进行加密。您能将使用此密码的代码发布到哪里吗?使用此did c更改密码,但它只有10个字符。你能解释一下为什么它不会太长。我希望它至少有256个字符。注意:我在pbhdf2调用中添加了一个分号。“pbkdf2()”函数的第四个参数获取密码的长度,我将其设置为10,你可以将其更改为256。如下:$hashed_password=pbkdf2(PBKDF2_HASH_算法,$password,'dsafdsa',256,5,false)使用更长/更短的密码长度有什么优点或缺点吗?无论长度如何,如何存储原始密码值都让我感到困惑。另外,在您建议的调用中,“5”是什么意思表示?我不完全理解pbkdf2。这看起来简单得多。如果我正确阅读文档,
PASSWORD\u BCRYPTpassword\u hash($password,password\u default)<?php
$hashed_password = pbkdf2(PBKDF2_HASH_ALGORITHM,$password,'dsafdsa',10,5,false)
?>
mysqli_query($sqli, "INSERT INTO `table`(`password`) VALUES ('$hashed_password')");
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
if (!isset($_POST["password"]) || strlen($_POST["password"]) < 10)
{
// password is invalid show error message
}