0

重複の可能性:
PHP パスワードの安全なハッシュとソルト

私は現在学生で、優れた開発者になることを目指しています。現在、データを適切に暗号化してデータベースにハッシュする方法を練習しています。

これが私の現在の実装です:

login_index.php

<?php

//Takes a password and returns the salted hash
//$password - the password to hash
//returns - the hash of the password (128 hex characters)
function HashPassword($password)
{
    $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
    $hash = hash("sha256", $salt . $password); //prepend the salt, then hash
    //store the salt and hash in the same string, so only 1 DB column is needed
    $final = $salt . $hash; 
    return $final;
}

//Validates a password
//returns true if hash is the correct hash for that password
//$hash - the hash created by HashPassword (stored in your DB)
//$password - the password to verify
//returns - true if the password is valid, false otherwise.
function ValidatePassword($password, $correctHash)
{
    $salt = substr($correctHash, 0, 64); //get the salt from the front of the hash
    $validHash = substr($correctHash, 64, 64); //the SHA256
    echo $salt ."    salt" ."<br/> ";
    echo $validHash . " hash " ."<br/> ";
    echo $correctHash . " password " ."<br/> ";


    $testHash = hash("sha256", $salt . $password); //hash the password being tested

    //if the hashes are exactly the same, the password is valid
    return $testHash === $validHash;
}


?>

<?php
include 'login_config.php';
if(isset($_POST['login']))
{
    $password = $_POST['password'];
    $email = $_POST['email'];
    $Get_User = "Select * From users Where Email = '$email'";
    $hashed_password = "";
    $result = mysql_query($Get_User);
    if(mysql_num_rows($result) > 0)
    {
        while($row = mysql_fetch_array($result))
        {
            $hashed_password = $row['password'];

        }
    }


    $valid = ValidatePassword($password,$hashed_password);

    if($valid)
    {
        echo "<br/>";
        echo "Yes,Login successful";
    }
    else
    {
        echo "<br/>";
        echo "Oops,Wrong Email or Password";
    }
}
?>


<form action="" method="post">
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="login" />
</form>

login_create.php

<form action="" method="post">
Firstname: <input type="text" name="fname" /><br />
Lastname: <input type="text" name="lname" /><br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" name="save" />
</form>

<?php

include 'login_config.php';

function HashPassword($password)
{
    $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //get 256 random bits in hex
    $hash = hash("sha256", $salt . $password); //prepend the salt, then hash
    //store the salt and hash in the same string, so only 1 DB column is needed
    $final = $salt . $hash; 
    return $final;

}


if(isset($_POST['save']))
{
    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $email = $_POST['email'];
    $password = HashPassword($_POST['password']);




    $insert = "Insert Into users (Fname,Lname,Email,Password) Values ('$fname','$lname','$email','$password')";
    $query = mysql_query($insert);

}


?>



</form>

現在の実装をさらに改善する方法を知りたいので、スキルをさらに伸ばし、同時に専門家/専門家から学ぶことができます. 何とかして、少なくともハッシュを適切に実装していますか?

サー/マダム、あなたの答えは非常に役に立ち、非常に高く評価されます. ありがとう++

4

0 に答える 0