在哪里将password_verify放在登录脚本中?
[英]Where to put password_verify in login script?
问题描述
Another night, another question! 
另一个夜晚,另一个问题!
I have created a log in page which works fine if the passwords are in plain text. 我创建了一个登录页面,如果密码为纯文本形式,则可以正常运行。
The issue I have is that my sign up form uses password_hash to enter an encrypted password to the table. 我的问题是我的注册表单使用password_hash向表输入加密的密码。
My current scripts are below. 我当前的脚本如下。
Sign Up Script
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
Log In Script
<?php
session_start();
if(isset($_POST['email'], $_POST['password'])){
require('../../../private_html/db_connection/connection.php');
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email AND password=:password");
$query->bindParam(':email', $_POST['email']);
$query->bindParam(':password', $_POST['password']);
$query->execute();
if($row = $query->fetch()){
$_SESSION['email'] = $row['email'];
$_SESSION['first_name'] = $row['first_name'];
header("Location: ../../myaccount/myaccount.php");
}
else {header("Location:../../login/login.php ");}
}
?>
I have a couple of questions on this one: 我对此有两个问题:
- Where do I put
password_verifyin my login script?我应该在哪里将password_verify放在我的登录脚本中? - Instead of having to type in multiple
$_SESSION['xxx'] = $row['xxx'];不必键入多个$_SESSION['xxx'] = $row['xxx'];to display the users details on the 'My Account' page, how can I utilise the$results = $stmt->fetch(PDO::FETCH_ASSOC);要在“我的帐户”页面上显示用户详细信息,如何使用$results = $stmt->fetch(PDO::FETCH_ASSOC);method that I have read about?我已经读过的方法?
Many thanks in advance, 提前谢谢了,
CyrilWalrus 西里尔·海象
2 个解决方案
解决方案1
12 已采纳 2015-09-14 00:56:45
Before you read the code, keep in mind that the Fake Registration block would not be in your code, but it is necessary to show you this, end-to-end. 阅读代码之前 ,请记住, Fake Registration块不会出现在您的代码中,但是有必要以端到端的方式向您展示。
<?php
session_start();
// Begin Vault
// credentials from a secure Vault, not hard-coded
$servername="localhost";
$dbname="login_system";
$username="dbUserName";
$password="dbPassword";
// End Vault
// The following two variables would come from your form, naturally
// as $_POST[]
$formEmail="jsmith123@gmail.com";
$ctPassword="¿^?fish╔&®)"; // clear text password
try {
#if(isset($_POST['email'], $_POST['password'])){
#require('../../../private_html/db_connection/connection.php');
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Begin Fake Registration
// fake it that user already had password set (from some registration insert routine)
// the registration routine had SSL/TLS, safely passing bound parameters.
$hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using
$conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
$conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
// we are done assuming we had a registration for somewhere in your system
// End Fake Registration
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
$query->bindParam(':email', $formEmail);
$query->execute();
unset($_SESSION['email']);
unset($_SESSION['first_name']);
if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
$_SESSION['email'] = $row['email'];
$_SESSION['first_name'] = $row['first_name'];
//header("Location: ../../myaccount/myaccount.php");
echo "hurray, you authenticated.<br/>";
}
else {
//header("Location:../../login/login.php ");
echo "invalid login<br/>";
}
#}
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
exit();
}
?>
Browser Output: 浏览器输出:
hurray, you authenticated.
Note, the password_hash() function utilizes a random salt, as is evident if you run it several times, with the hashed password changing with same clearText input, such as these hashed passwords: 请注意, password_hash()函数利用随机盐,如果您多次运行它,则很明显,哈希密码使用相同的clearText输入更改 ,例如这些哈希密码:
$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q
$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW
both of which are the result of subsequent hashings, as mentioned, of the same clear text password. 两者都是如上所述的相同明文密码的后续哈希的结果。 The salt and hash cost are baked into the hashed password and saved. salt和哈希cost被烘焙到哈希密码中并保存。 These call all be read about in links below. 这些调用都可以在下面的链接中找到。
From the Manual password_hash and password_verify . 从手册password_hash和password_verify中 。
Schema 架构图
create table user_accounts
( id int auto_increment primary key,
first_name varchar(50) not null,
last_name varchar(50) not null,
email varchar(100) not null,
password varchar(255) not null
);
解决方案2
-3 2015-09-13 20:18:35
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=?");
$query->execute([$_POST['email']]);
if($row = $query->fetch() && password_verify($_POST['password'], $row['password'])){
$_SESSION['user'] = $row;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.