Fatal编程技术网
  • php/
  • Php 将发布的密码与MySQL存储的加密密码进行比较

Php 将发布的密码与MySQL存储的加密密码进行比较

php mysql

Php 将发布的密码与MySQL存储的加密密码进行比较,php,mysql,mysqli,Php,Mysql,Mysqli,我的SQL表: |-ID-|-Username-|-EmailAddress-|-ePassword-|-Permissions-| ---------------------------------------------------------- | 1 | Admin | | | | | 2 | Foo|<emailaddress>|<cpassword>| <def

我的SQL表:

|-ID-|-Username-|-EmailAddress-|-ePassword-|-Permissions-|
----------------------------------------------------------
|  1 |    Admin |              |           |             |
|  2 |       Foo|<emailaddress>|<cpassword>|  <default 1>|
|    |          |              |           |             |
|    |          |              |           |             |
要比较密码,我的密码是:

if (hash_equals($hashed_password, crypt($password, $hashed_password)) { //changed $user_input to password
    echo "Password verified!";
}
但我如何从数据库中获取ePassword并进行比较呢

//User data
$username = strtolower($_POST['username']);
$password = $_POST['password'];

//login check
if($_SESSION['loggedIn'] != "") {
    echo 'You already are using an Account!';
} else if($_SESSION['loggedIn'] == "") {

    //connect to database
    $con =  mysqli_connect($db_host, $db_user, $db_pass, $db_name);

    //check for connection errors
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    };

    //checks for username
    $stmt = $con->prepare("SELECT * FROM Users WHERE Username=?");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $stmt->store_result();

    $userCheck = $stmt->num_rows;
    if($userCheck > 0) {
                                //Password check goes here
    } else {

    };
    $con->close();
};
TL;DR:我想将$password与来自我的数据库的ePassword与crypt进行比较,我该怎么做?

我认为您需要加密用户密码$\u POST['password']并与来自您数据库的ePassword进行比较ePassword是使用crypt加密的-crypt不会输出相同的内容两次。注册用户时,您可以使用salt生成ePassword并将其插入数据库。现在,当用户登录时,应该使用相同的salt来获取输入密码的加密值。然后,只有您可以根据您的实现比较密码。 
    // username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];

    $password=crypt($password,saltUsedWhileRegisteringUser); // Encrypted Password
    //Assuming ePassword is the crypted password inserted into DB while User Registeration
    $sql="SELECT id FROM admin WHERE username='$username' and ePassword ='$password'";

    $result=mysql_query($sql);

    $count=mysql_num_rows($result);//If count > 1 then valid user else not a valid one.

    // username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];

    $password=crypt($password,saltUsedWhileRegisteringUser); // Encrypted Password
    //Assuming ePassword is the crypted password inserted into DB while User Registeration
    $sql="SELECT id FROM admin WHERE username='$username' and ePassword ='$password'";

    $result=mysql_query($sql);

    $count=mysql_num_rows($result);//If count > 1 then valid user else not a valid one.

if($userCheck > 0) {
    //Password check goes here
    $stmt->bind_result($id, $username,$emailAddress,$ePassword,$permissions);
    $password = crypt($password,'the same salt used to create ePassword. without it the string will be always random'); 
    if (hash_equals($password,$ePassword) {
        echo 'user logged in';
    else
        echo 'invalid password';
    }
}