登录时在php中放置密码_verify(),并将registration.php保存在外部文件中
我正在尝试创建一个login.php脚本,它使用密码\u verify()加密。没有一个主题是明确的,问题是在每个例子中都是这样的登录时在php中放置密码_verify(),并将registration.php保存在外部文件中,php,database,mysqli,password-encryption,php-password-hash,Php,Database,Mysqli,Password Encryption,Php Password Hash,我正在尝试创建一个login.php脚本,它使用密码\u verify()加密。没有一个主题是明确的,问题是在每个例子中都是这样的 $password = '123'; $hashed = '$2y$10$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK'; $ver_pass = password_verify($password, $hashed){..} 现在对我来说,问题是我试图从数据库而不是从内部硬编
$password = '123';
$hashed = '$2y$10$Lz6eWEzHqhNhiPkNYX/LAOfP.1zuyYJSc4u66TvF1bce9WrSbnSJK';
$ver_pass = password_verify($password, $hashed){..}
现在对我来说,问题是我试图从数据库而不是从内部硬编码字符串中检索哈希密码。
我的示例代码:
login.php
$password = mysqli_real_escape_string($database, $password);
//Check username and password from database
$query =
"SELECT id FROM `register`
WHERE `username` = '$username'
AND `hashed_p` = '$password'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
//If username and password exist in our database then create a session.
$verified_password = password_verify($password, $hashed_password);
if(mysqli_num_rows($result) && $verified_password){
echo start session succesfully
}else{ echo error}
}
register.php
$password = mysqli_real_escape_string($database, $password);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$query = "SELECT email FROM register WHERE email='$email'";
$result = mysqli_query($database, $query);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$query = mysqli_query($database,
"INSERT INTO `register` (`hashed_p`) VALUES ('".$hashed_password."')";
if ($query) {....}
顺便说一下。注册过程成功,并且密码_hash()在register.php文件中工作正常。
但是在login.php文件中,我不知道如何从数据库中检索哈希密码并使用它进行验证。您需要在不检查密码的情况下选择id&password。然后检查数据库中的pwdHash(
$row['hashed\u p']
)是否与用户通过密码提供的pwdHash匹配\u验证:
$password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query =
"SELECT id, hashed_p FROM `register`
WHERE `username` = '$username'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);
if(mysqli_num_rows($result) && $verified_password){
echo 'start session succesfully';
} else {
echo 'error';
}
但是请更改为a(因为您的版本非常不安全。很容易被黑客攻击。只需搜索“Bobby Tables”。)
您需要在不检查密码的情况下选择id和密码。然后检查数据库中的pwdHash(
$row['hashed\u p']
)是否与用户通过密码提供的pwdHash匹配\u验证:
$password = // the password in it's raw form how the user typed it. like $_POST['password'];
//Check username (without password) from database
$query =
"SELECT id, hashed_p FROM `register`
WHERE `username` = '$username'";
$result = mysqli_query($database,$query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$verified_password = password_verify($password, $row['hashed_p']);
if(mysqli_num_rows($result) && $verified_password){
echo 'start session succesfully';
} else {
echo 'error';
}
但是请更改为a(因为您的版本非常不安全。很容易被黑客攻击。只需搜索“Bobby Tables”。)
您需要在不检查密码的情况下选择id和密码。然后检查数据库中的pwdHash(
$row['hashed\u p']
)是否与用户通过密码验证提供的密码匹配。您需要选择id和密码,而无需检查密码。然后检查数据库中的pwdHash($row['hashed\u p']
)是否与用户通过密码验证提供的pwdHash匹配。如果是,则所有事务都是不安全的http@MammaMia我不是指事务不安全,而是指SQL注入http@MammaMia我不是说交易不安全,但是对于SQL注入。