使用 pdo 传入 password_hash 字段
pass in password_hash field with pdo
我正在尝试将密码作为 md5 处理到数据库中,这是相关代码:
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
$pass = $_POST['pass'];
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = $_POST['pass'];
$select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
$select->setFetchMode();
$select->execute();
$data=$select->fetch();
if($data['email']!=$email and $data['pass']!=$pass) {
echo "invalid email or pass";
}
elseif($data['email']==$email and $data['pass']==$pass) {
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:profile.php");
}
}
数据库中多长的长度适合存储此散列密码?
我该如何使用它:
$hashed_password = password_hash($pass, PASSWORD_DEFAULT);
var_dump($hashed_password);
以及密码是否正确的 if 语句?
阅读手册或查看教程中的示例后,它真的非常简单。详情见代码注释
<?php
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
// at signup you hash the user provided password
$pass = password_hash($_POST['pass'], PASSWORD_DEFAULT);
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass); // this stores the hashed password
$insert->execute();
}elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = $_POST['pass'];
// as the password on the DB is hashed you cannot use the
// plain text password in the SELECT here as it wont match
$select = $pdo->prepare("SELECT * FROM users WHERE email=:email");
// no idea what this was doing
//$select->setFetchMode();
$select->bindParam(':email',$email);
$select->execute();
$row = $select->fetch(PDO::FETCH_ASSOC);
// verify the plain text password against the
// hashed value from DB in $row['pass']
if( password_verify($pass, $row['pass']) ){
$_SESSION['email'] = $data['email'];
$_SESSION['name'] = $data['name'];
header("location:profile.php");
exit;
} else {
echo "invalid email or pass";
}
}
而数据库中你需要保存这个散列值的列的长度是documented in the manual
The following algorithms are currently supported:
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "y$" identifier. The result will always be a 60 character string, or FALSE on failure.
我正在尝试将密码作为 md5 处理到数据库中,这是相关代码:
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
$pass = $_POST['pass'];
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = $_POST['pass'];
$select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
$select->setFetchMode();
$select->execute();
$data=$select->fetch();
if($data['email']!=$email and $data['pass']!=$pass) {
echo "invalid email or pass";
}
elseif($data['email']==$email and $data['pass']==$pass) {
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:profile.php");
}
}
数据库中多长的长度适合存储此散列密码?
我该如何使用它:
$hashed_password = password_hash($pass, PASSWORD_DEFAULT);
var_dump($hashed_password);
以及密码是否正确的 if 语句?
阅读手册或查看教程中的示例后,它真的非常简单。详情见代码注释
<?php
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
// at signup you hash the user provided password
$pass = password_hash($_POST['pass'], PASSWORD_DEFAULT);
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass); // this stores the hashed password
$insert->execute();
}elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = $_POST['pass'];
// as the password on the DB is hashed you cannot use the
// plain text password in the SELECT here as it wont match
$select = $pdo->prepare("SELECT * FROM users WHERE email=:email");
// no idea what this was doing
//$select->setFetchMode();
$select->bindParam(':email',$email);
$select->execute();
$row = $select->fetch(PDO::FETCH_ASSOC);
// verify the plain text password against the
// hashed value from DB in $row['pass']
if( password_verify($pass, $row['pass']) ){
$_SESSION['email'] = $data['email'];
$_SESSION['name'] = $data['name'];
header("location:profile.php");
exit;
} else {
echo "invalid email or pass";
}
}
而数据库中你需要保存这个散列值的列的长度是documented in the manual
The following algorithms are currently supported:
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "y$" identifier. The result will always be a 60 character string, or FALSE on failure.