Php 在登录脚本中的何处放置密码\u验证?
又一个夜晚,又一个问题 我已经创建了一个登录页面,如果密码是纯文本的,它就可以正常工作 我的问题是,我的注册表单使用password\u散列在表中输入加密密码 下面是我当前的脚本 注册脚本 登录脚本Php 在登录脚本中的何处放置密码\u验证?,php,session,pdo,password-encryption,login-script,Php,Session,Pdo,Password Encryption,Login Script,又一个夜晚,又一个问题 我已经创建了一个登录页面,如果密码是纯文本的,它就可以正常工作 我的问题是,我的注册表单使用password\u散列在表中输入加密密码 下面是我当前的脚本 注册脚本 登录脚本 关于这一点,我有几个问题: 我应该在登录脚本中将密码\u验证放在哪里 不必输入多个$\u会话['xxx']=$row['xxx']要在“我的帐户”页面上显示用户详细信息,我如何使用$results=$stmt->fetch(PDO::fetch_ASSOC)我读过的方法 多谢各位 西里尔海象在阅
关于这一点,我有几个问题:
密码\u验证放在哪里
$\u会话['xxx']=$row['xxx']
要在“我的帐户”页面上显示用户详细信息,我如何使用$results=$stmt->fetch(PDO::fetch_ASSOC)代码>我读过的方法李>
多谢各位
西里尔海象在阅读代码之前,请记住,伪注册
块将不在代码中,但有必要向您展示这一点,端到端
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=?");
$query->execute([$_POST['email']]);
if($row = $query->fetch() && password_verify($_POST['password'], $row['password'])){
$_SESSION['user'] = $row;
<?php
session_start();
// Begin Vault
// credentials from a secure Vault, not hard-coded
$servername="localhost";
$dbname="login_system";
$username="dbUserName";
$password="dbPassword";
// End Vault
// The following two variables would come from your form, naturally
// as $_POST[]
$formEmail="jsmith123@gmail.com";
$ctPassword="¿^?fish╔&®)"; // clear text password
try {
#if(isset($_POST['email'], $_POST['password'])){
#require('../../../private_html/db_connection/connection.php');
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Begin Fake Registration
// fake it that user already had password set (from some registration insert routine)
// the registration routine had SSL/TLS, safely passing bound parameters.
$hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using
$conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
$conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
// we are done assuming we had a registration for somewhere in your system
// End Fake Registration
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
$query->bindParam(':email', $formEmail);
$query->execute();
unset($_SESSION['email']);
unset($_SESSION['first_name']);
if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
$_SESSION['email'] = $row['email'];
$_SESSION['first_name'] = $row['first_name'];
//header("Location: ../../myaccount/myaccount.php");
echo "hurray, you authenticated.<br/>";
}
else {
//header("Location:../../login/login.php ");
echo "invalid login<br/>";
}
#}
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
exit();
}
?>
如前所述,这两种密码都是对同一明文密码进行后续哈希运算的结果。salt
和hashcost
被烘焙到散列密码中并保存。这些电话都可以在下面的链接中阅读
从手册和
模式
@西里尔海象-你的脚本有很多不起作用的可能性,你应该告诉我们更多关于哪里出了问题。上面的答案应该会让你明白,首先通过电子邮件进行查询,然后读取行中的哈希值,并使用password\u verify()
@martinstoeckli检查。不应该由你用这个答案“帮助”OP。这家伙应该是一个帮助这个人找出为什么它不起作用的人,我真诚地怀疑他们是否会提供任何进一步的帮助。这个答案不值得投票;另外,如果你问我的话,这是一个不值得浪费的答案。现在有一个答案实际上是“有意义的”。我想知道是谁给了你那张否决票。你的竞争对手可能会大便?也许是那个从不对此发表评论的人?也许是因为害怕被击落?反正你得到了我的支持票。@HawasKaPujaari不是政治本身,而是“公关”。(公共关系);-)谢谢这是一种享受。你知道在这种情况下我如何使用$results=$stmt->fetch(PDO::fetch_ASSOC)
?我读过这样的文章,我可以把
放到浏览器上,而不是进行大量的$\u会话
。在这种特殊情况下,我们甚至不会通过PHP将(列值)返回到浏览器上,只是尝试在登录时确定是或不是。但是,总的来说,绝对不要不必要地增加会话占用空间。它会影响PHP性能。
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=?");
$query->execute([$_POST['email']]);
if($row = $query->fetch() && password_verify($_POST['password'], $row['password'])){
$_SESSION['user'] = $row;
<?php
session_start();
// Begin Vault
// credentials from a secure Vault, not hard-coded
$servername="localhost";
$dbname="login_system";
$username="dbUserName";
$password="dbPassword";
// End Vault
// The following two variables would come from your form, naturally
// as $_POST[]
$formEmail="jsmith123@gmail.com";
$ctPassword="¿^?fish╔&®)"; // clear text password
try {
#if(isset($_POST['email'], $_POST['password'])){
#require('../../../private_html/db_connection/connection.php');
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Begin Fake Registration
// fake it that user already had password set (from some registration insert routine)
// the registration routine had SSL/TLS, safely passing bound parameters.
$hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using
$conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
$conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
// we are done assuming we had a registration for somewhere in your system
// End Fake Registration
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
$query->bindParam(':email', $formEmail);
$query->execute();
unset($_SESSION['email']);
unset($_SESSION['first_name']);
if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
$_SESSION['email'] = $row['email'];
$_SESSION['first_name'] = $row['first_name'];
//header("Location: ../../myaccount/myaccount.php");
echo "hurray, you authenticated.<br/>";
}
else {
//header("Location:../../login/login.php ");
echo "invalid login<br/>";
}
#}
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
exit();
}
?>
$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q
$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW
create table user_accounts
( id int auto_increment primary key,
first_name varchar(50) not null,
last_name varchar(50) not null,
email varchar(100) not null,
password varchar(255) not null
);