这个问题在这里已有答案:
我有一个用户页面,其中有添加和编辑用户信息,我正在尝试从PHP和MYSQL的输入中从数据库中获取哈希密码的原始密码。我试过这段代码:
if(isset($_GET['add']) || isset($_GET['edit'])){
$name = ((isset($_POST['name']))?sanitize($_POST['name']):'');
$email = ((isset($_POST['email']))?sanitize($_POST['email']):'');
$password = ((isset($_POST['password']))?sanitize($_POST['password']):'');
$confirm = ((isset($_POST['confirm']))?sanitize($_POST['confirm']):'');
$permissions = ((isset($_POST['permissions']))?sanitize($_POST['permissions']):'');
$errors = array();
if(isset($_GET['edit'])){
$edit_id = (int)$_GET['edit'];
$userResults = $db->query("SELECT * FROM users WHERE id = '$edit_id'");
$user = mysqli_fetch_assoc($userResults);
$name = ((isset($_POST['name']))?$_POST['name']:$user['full_name']);
$email = ((isset($_POST['email']))?$_POST['email']:$user['email']);
$password = ((isset($_POST['password']))?$_POST['password']:$user['password']);
$confirm = ((isset($_POST['confirm']))?sanitize($_POST['confirm']):'');
$permissions = ((isset($_POST['permissions']))?$_POST['permissions']:$user['permissions']);
}
if($_POST){
$emailQuery = $db->query("SELECT * FROM users WHERE email = '$email'");
$emailCount = mysqli_num_rows($emailQuery);
if($emailCount != 0 && $_GET['add']){
$errors[] = 'That email already exists in our database.';
}
$required = array('name', 'email', 'password', 'confirm', 'permissions');
foreach($required as $f){
if(empty($_POST[$f])){
$errors[] = 'You must fill out all fields.';
break;
}
}
if(strlen($password) < 6){
$errors[] = 'Your password must be at least 6 characters.';
}
if($password != $confirm){
$errors[] = 'Your passwords do not match.';
}
if(!filter_var($email,FILTER_VALIDATE_EMAIL)){
$errors[] = 'You must enter a valid email.';
}
if(!empty($errors)){
echo display_errors($errors);
}else{
//add user to database
$hashed = password_hash($password,PASSWORD_DEFAULT);
$mql = "INSERT INTO users (full_name,email,password,permissions) VALUES ('$name','$email','$hashed','$permissions')";
$_SESSION['success_flash'] = $name.' has been added.';
if(isset($_GET['edit'])){
$mql = "UPDATE users SET `full_name` = '$name', `email` = '$email',
`password` = '$hashed', `permissions` = '$permissions'
WHERE id = '$edit_id'";
}
$db->query($mql);
header('Location: users.php');
}
}
<h3 class="text-center"><?=((isset($_GET['edit']))?'Edit':'Add A New');?> User</h3><hr>
<form action="users.php?<?=((isset($_GET['edit']))?'edit='.$edit_id:'add=1');?>" method="post">
<div class="row">
<div class="form-group col-lg-6">
<label for="password">Password:</label>
<input type="text" name="password" id="password" class="form-control" value="<?php if(password_verify($password, $user['password'])){echo $password;}?>">
</div>
}else{
// Add user HTML
但是输入是空的......我似乎无法在代码中找到错误。如果我删除HTML中的password verify
代码并用<?=$password;?>
替换它我得到的哈希密码不是原始密码。除确认和密码外,所有字段均正常工作。
你不能。哈希是单向函数。这就是它的目的。 https://en.wikipedia.org/wiki/Hash_function
哈希是专门设计为单向的。这就是它安全的全部原因。假设黑客掌握了你的数据库。如果所有密码都以纯文本形式存储,那么黑客就可以获得所有密码。但是,如果他们都被哈希,黑客将很难获得真正的密码,因为在数学上没有办法知道原始密码是什么。
TL; DR哈希值应该是安全的,不应该被破解。如果要编辑用户密码,请将其存储为纯文本。