登录时将 password_verify() 放在 php 中,并将 registeration.php 放在外部文件中
Where to place password_verify() in php when logging in and have the registeration.php in an exernal file
我正在尝试创建一个使用 password_verify() 加密的 login.php 脚本。 None 的主题很清楚,问题是在每个例子中它看起来像这样
$password = '123';
$hashed = 'y$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK';
$ver_pass = password_verify($password, $hashed){..}
现在对我来说,问题是我正在尝试从数据库而不是内部硬编码字符串中检索散列密码。
我的示例代码:
login.php
$password = mysqli_real_escape_string($database, $password);
//Check username and password from database
$query =
"SELECT id FROM `register`
WHERE `username` = '$username'
AND `hashed_p` = '$password'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
$verified_password = password_verify($password, $hashed_password);
if(mysqli_num_rows($result) && $verified_password){
echo start session succesfully
}else{ echo error}
}
register.php
$password = mysqli_real_escape_string($database, $password);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$query = "SELECT email FROM register WHERE email='$email'";
$result = mysqli_query($database, $query);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$query = mysqli_query($database,
"INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')";
if ($query) {....}
顺便说一句。注册过程成功,password_hash() 在 register.php 文件中工作正常。
但是在 login.php 文件中,我不知道如何从数据库中检索散列密码并使用它来验证它。
您需要 Select ID 和密码而不检查密码。然后检查来自 db ($row['hashed_p']) 的 pwdHash 是否与用户通过 password_verify:
提供的 pwdHash 匹配
$password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query =
"SELECT id, hashed_p FROM `register`
WHERE `username` = '$username'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);
if(mysqli_num_rows($result) && $verified_password){
echo 'start session succesfully';
} else {
echo 'error';
}
但是请换成prepared statements(因为你的版本很不安全。很容易被黑。只需搜索'Bobby Tables'):
$stmt = mysqli_prepare($database, $query);
mysqli_stmt_bind_param ($stmt, 's', $username);
$success = mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
我正在尝试创建一个使用 password_verify() 加密的 login.php 脚本。 None 的主题很清楚,问题是在每个例子中它看起来像这样
$password = '123';
$hashed = 'y$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK';
$ver_pass = password_verify($password, $hashed){..}
现在对我来说,问题是我正在尝试从数据库而不是内部硬编码字符串中检索散列密码。 我的示例代码:
login.php
$password = mysqli_real_escape_string($database, $password);
//Check username and password from database
$query =
"SELECT id FROM `register`
WHERE `username` = '$username'
AND `hashed_p` = '$password'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
$verified_password = password_verify($password, $hashed_password);
if(mysqli_num_rows($result) && $verified_password){
echo start session succesfully
}else{ echo error}
}
register.php
$password = mysqli_real_escape_string($database, $password);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$query = "SELECT email FROM register WHERE email='$email'";
$result = mysqli_query($database, $query);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$query = mysqli_query($database,
"INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')";
if ($query) {....}
顺便说一句。注册过程成功,password_hash() 在 register.php 文件中工作正常。 但是在 login.php 文件中,我不知道如何从数据库中检索散列密码并使用它来验证它。
您需要 Select ID 和密码而不检查密码。然后检查来自 db ($row['hashed_p']) 的 pwdHash 是否与用户通过 password_verify:
$password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query =
"SELECT id, hashed_p FROM `register`
WHERE `username` = '$username'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);
if(mysqli_num_rows($result) && $verified_password){
echo 'start session succesfully';
} else {
echo 'error';
}
但是请换成prepared statements(因为你的版本很不安全。很容易被黑。只需搜索'Bobby Tables'):
$stmt = mysqli_prepare($database, $query);
mysqli_stmt_bind_param ($stmt, 's', $username);
$success = mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);