将用户密码从哈希存储功能更改为明文
change user password from hash store function to cleartext
我正在做一个关于如何制作 php mysql 登录表单的 tutorial。
现在教程实际上已经做好了,我想稍微改变一下,更改登录密码以存储明文而不是哈希。散列线如下所示:
$new_password = password_hash($upass, PASSWORD_DEFAULT);
我做了:
$new_password = $upass;
出来了。它现在将明文保存到数据库,但登录不起作用。
登录部分看起来像这样,但我没有看到我希望转换和匹配散列密码的部分...
public function doLogin($uname,$upass)
{
try
{
$stmt = $this->conn->prepare("SELECT user_id, user_name, user_pass FROM users WHERE user_name=:uname");
$stmt->execute(array(':uname'=>$uname));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() == 1)
{
if(password_verify($upass, $userRow['user_pass']))
{
$_SESSION['user_session'] = $userRow['user_id'];
return true;
}
else
{
return false;
}
}
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
行:
if(password_verify($upass, $userRow['user_pass']))
根据给定的密码检查密码的哈希值。当您删除散列函数时,它会将 un-hashed 密码与明文密码进行比较。
改为:
if($upass == $userRow['user_pass'])
应该可以解决问题。
尽管您确实不应该存储明文密码。
如果您不再对密码进行哈希处理,则无法验证哈希
if(password_verify($upass, $userRow['user_pass']))
应该是
if($upass == $userRow['user_pass'])
了解这是一个非常糟糕的主意。你可能不明白why hashing passwords is important
For any reason, your database may be compromised and its data may be obtained by someone else. If the passwords are in what we call plain text, you will have leaked a piece of sensitive information that your users have trusted you with: their password (which is very likely to be a password shared in multiple services). This is a very serious issue.
我正在做一个关于如何制作 php mysql 登录表单的 tutorial。 现在教程实际上已经做好了,我想稍微改变一下,更改登录密码以存储明文而不是哈希。散列线如下所示:
$new_password = password_hash($upass, PASSWORD_DEFAULT);
我做了:
$new_password = $upass;
出来了。它现在将明文保存到数据库,但登录不起作用。
登录部分看起来像这样,但我没有看到我希望转换和匹配散列密码的部分...
public function doLogin($uname,$upass)
{
try
{
$stmt = $this->conn->prepare("SELECT user_id, user_name, user_pass FROM users WHERE user_name=:uname");
$stmt->execute(array(':uname'=>$uname));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() == 1)
{
if(password_verify($upass, $userRow['user_pass']))
{
$_SESSION['user_session'] = $userRow['user_id'];
return true;
}
else
{
return false;
}
}
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
行:
if(password_verify($upass, $userRow['user_pass']))
根据给定的密码检查密码的哈希值。当您删除散列函数时,它会将 un-hashed 密码与明文密码进行比较。
改为:
if($upass == $userRow['user_pass'])
应该可以解决问题。
尽管您确实不应该存储明文密码。
如果您不再对密码进行哈希处理,则无法验证哈希
if(password_verify($upass, $userRow['user_pass']))
应该是
if($upass == $userRow['user_pass'])
了解这是一个非常糟糕的主意。你可能不明白why hashing passwords is important
For any reason, your database may be compromised and its data may be obtained by someone else. If the passwords are in what we call plain text, you will have leaked a piece of sensitive information that your users have trusted you with: their password (which is very likely to be a password shared in multiple services). This is a very serious issue.