您的位置: 首页  >  技术问答  >  哪里把php password_verify()登录时,并在exernal文件中有registeration.php

哪里把php password_verify()登录时,并在exernal文件中有registeration.php

分类: 技术问答 2022-07-12 16:24:30
问题描述:

我想创建一个login.php脚本,它使用password_verify()加密。的主题均是明确的,问题是,在每一个例子,它看起来像这样哪里把php password_verify()登录时,并在exernal文件中有registeration.php

$password = '123'; 
    $hashed = '$2y$10$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK'; 

    $ver_pass = password_verify($password, $hashed){..}

现在对我来说,事情是,我试图不从内部硬编码字符串从数据库中检索哈希密码。 我的示例代码:

的login.php

 $password = mysqli_real_escape_string($database, $password); 
    //Check username and password from database 
    $query = 
    "SELECT id FROM `register` 
       WHERE `username` = '$username' 
       AND `hashed_p` = '$password'"; 

     $result = mysqli_query($database,$query); 
     $row = mysqli_fetch_array($result,MYSQLI_ASSOC); 
     //If username and password exist in our database then create a session. 

      $verified_password = password_verify($password, $hashed_password); 

     if(mysqli_num_rows($result) && $verified_password){ 
     echo start session succesfully 
     }else{ echo error} 
    }

register.php

$password = mysqli_real_escape_string($database, $password); 
$hashed_password = password_hash($password, PASSWORD_DEFAULT); 

$query = "SELECT email FROM register WHERE email='$email'"; 
$result = mysqli_query($database, $query); 
$row = mysqli_fetch_array($result, MYSQLI_ASSOC); 

$query = mysqli_query($database, 
"INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')"; 
if ($query) {....}

顺便说。注册过程是成功的,并且password_hash()在register.php文件中正常工作。 但在login.php文件中,我不知道如何从数据库中检索哈希密码并使用它来验证它。任何帮助表示赞赏。

+1

您需要选择ID和密码_without_检查passoword。 _然后_检查db('$ row ['hashed_p']')中的pwdHash是否与用户通过password_verify给出的匹配。 – Jeff

您需要选择编号&而不检查密码。然后,你如果pwdHash从数据库查询($row['hashed_p'])相匹配的用户通过password_verify了:。

$password = // the password in it's raw form how the user typed it. like $_POST['password']; 
//Check username (without password) from database 
$query = 
"SELECT id, hashed_p FROM `register` 
        WHERE `username` = '$username'"; 

$result = mysqli_query($database,$query); 
$row = mysqli_fetch_array($result,MYSQLI_ASSOC); 
$verified_password = password_verify($password, $row['hashed_p']); 

if(mysqli_num_rows($result) && $verified_password){ 
    echo 'start session succesfully'; 
} else { 
    echo 'error'; 
}

请换一个prepared statements(因为你的版本是非常不安全的很容易被黑客攻破只是SEACH '):

$stmt = mysqli_prepare($database, $query); 
mysqli_stmt_bind_param ($stmt, 's', $username); 
$success = mysqli_stmt_execute($stmt); 
$result = mysqli_stmt_get_result($stmt);
+0

所有的交易都是不安全的,如果他们是http –

+0

@MammaMia我没有提到交易beeing不安全,但对SQL注入。 – Jeff

相关推荐