开发者

can get a username and password match from mysql db

as the title suggests I can get a match on password and username when trying to retrieve a user from my database. When I first create a user I use this method that also hashes the password:

mysql_select_db($user);
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
function hash_password($password1, $username1) {
    return hash_hmac('sha512', $password1 . $username1, $site_key);
}
$sql=mysql_query("INSERT INTO _SCD_BACKUP_USERS (username, password)
VALUES ('".$username."','".hash_password($password, $username)."')");
$r=mysql_query($sql);
if(!$r)echo "Error in query: ".mysql_error();
mysql_close();`

this seems to work fine! To get what I want in the database. When I retrieve the info I can't get a match using this code:

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
function hash_password($password1, $username1) {
    return hash_hmac('sha512', $password1 . $username1, $site_key);
}
$encrypted = hash_password($username, $password);
$sql = 'SELECT username FROM _SCD_BACKUP_USERS WHERE username = ? AND password = ?';
$result = $db -> query($sql, array($username, $encrypted));
if ($result -> numRows() < 1) {
    $arr = array('same' => true);
} else {
    $arr = array('same' => false);
}
prin开发者_如何转开发t(json_encode($arr));
mysql_close();

Any suggestions?

//André


Parameters are backwards

$encrypted = hash_password($username, $password);

should be

$encrypted = hash_password($password, $username);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜