哪里把php password_verify()登录时,并在exernal文件中有registeration.php
我想创建一个login.php脚本,它使用password_verify()加密。的主题均是明确的,问题是,在每一个例子,它看起来像这样哪里把php password_verify()登录时,并在exernal文件中有registeration.php
$password = '123';
$hashed = '$2y$10$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK';
$ver_pass = password_verify($password, $hashed){..}
现在对我来说,事情是,我试图不从内部硬编码字符串从数据库中检索哈希密码。 我的示例代码:
的login.php
$password = mysqli_real_escape_string($database, $password);
//Check username and password from database
$query =
"SELECT id FROM `register`
WHERE `username` = '$username'
AND `hashed_p` = '$password'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
$verified_password = password_verify($password, $hashed_password);
if(mysqli_num_rows($result) && $verified_password){
echo start session succesfully
}else{ echo error}
}
register.php
$password = mysqli_real_escape_string($database, $password);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$query = "SELECT email FROM register WHERE email='$email'";
$result = mysqli_query($database, $query);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$query = mysqli_query($database,
"INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')";
if ($query) {....}
顺便说。注册过程是成功的,并且password_hash()在register.php文件中正常工作。 但在login.php文件中,我不知道如何从数据库中检索哈希密码并使用它来验证它。任何帮助表示赞赏。
您需要选择编号&而不检查密码。然后,你如果pwdHash从数据库查询($row['hashed_p']
)相匹配的用户通过password_verify了:。
$password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query =
"SELECT id, hashed_p FROM `register`
WHERE `username` = '$username'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);
if(mysqli_num_rows($result) && $verified_password){
echo 'start session succesfully';
} else {
echo 'error';
}
但请换一个prepared statements(因为你的版本是非常不安全的很容易被黑客攻破只是SEACH '):
$stmt = mysqli_prepare($database, $query);
mysqli_stmt_bind_param ($stmt, 's', $username);
$success = mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
所有的交易都是不安全的,如果他们是http –
@MammaMia我没有提到交易beeing不安全,但对SQL注入。 – Jeff
您需要选择ID和密码_without_检查passoword。 _然后_检查db('$ row ['hashed_p']')中的pwdHash是否与用户通过password_verify给出的匹配。 – Jeff