こんにちは、
登録したユーザーにログインする際に問題があり、パスワードをハッシュしましたが、フォームにログインすると拒否されました。登録したユーザーは sql コマンドで直接ログインできるため、実際には何が問題なのかわかりません。私のログインスクリプト...
<?php
include 'db_connect.php';
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a php session.
if(isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if(login($email, $password, $mysqli) == true) {
// Login success
echo 'Success: You have been logged in!';
echo '<a href="javascript:window.close();">Close window</a>';
} else {
// Login failed
header('Location: ./login.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
以下は、Function.php ファイルのログイン関数です。
function login($email, $password, $mysqli) {
if ($stmt = $mysqli->prepare(
"SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1"
)) {
$stmt->bind_param('s', $email);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
$password = hash('sha512', $password.$salt); // hash the password with the unique salt.
if($stmt->num_rows == 1) {
if(checkbrute($user_id, $mysqli) == true) {
return false;
} else {
if($db_password == $password) {
$ip_address = $_SERVER['REMOTE_ADDR'];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$ip_address.$user_browser);
// Login successful.
return true;
} else {
$now = time();
$mysqli->query(
"INSERT INTO login_attempts (user_id, time)
VALUES ('$user_id', '$now')"
);
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
以下は、ユーザーをDBに登録する方法です
<?php
include 'db_connect.php';
include 'functions.php';
$password = $_POST['p'];
$username = $_POST['username'];
$email = $_POST['email'];
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
$password = hash('sha512', $password.$random_salt);
if ($insert_stmt = $mysqli->prepare(
"INSERT INTO members (username,email,password,salt)
VALUES (?, ?, ?, ?)"
)) {
$insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
// Execute the prepared query.
$insert_stmt->execute();
echo 'Member Succesfully added to the Website list';
} else {
echo 'Error couldnt add the user, Try again';
}
?>