从 SQL 表中获取散列字符串时出现 PHP PDO 错误
[英]PHP PDO Error when fetching hashed strings from SQL table
问题描述
As I was changing my MySQLi to PDO , I encountered an error when fetching hashed strings from my users table.
当我将MySQLi更改为PDO ,从我的users表中获取散列字符串时遇到错误。
This was the code I used before:这是我之前使用的代码:
CheckPassword VERIFIES VALID USING MYSQLI CheckPassword使用MYSQLI验证有效
$mysqli = new mysqli("localhost","_USER_","_PASS_","_DB_");
$username = '_USERNAME_';
$pass = '_PASSWORD_';
$sql = "SELECT * FROM `users` WHERE username='$username' LIMIT 1";
$result = $mysqli->query($sql);
if($assoc = $result->fetch_assoc()){
$db_pass = $assoc['userpass'];
require 'PasswordHash.php';
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
if($hasher->CheckPassword($pass, $db_pass)) {
echo "valid"; // VERIFIES VALID
} else {
echo "invalid";
}
}
The reason why I switched to PDO was to prevent SQL Injections .我切换到PDO的原因是为了防止SQL 注入。
But now: CheckPassword VERIFIES INVALID USING PDO但现在: CheckPassword VERIFIES INVALID USING PDO
$pdo = new PDO('mysql:dbname=_DB_;host=localhost', '_USER_', '_PASS_',
array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$username = '_USERNAME_';
$pass = '_PASSWORD_';
$stmt = $pdo->prepare('SELECT * FROM `users` WHERE username = :u LIMIT 1');
$stmt->bindParam(':u', $username);
$stmt->execute();
if($fetch = $stmt->fetch(PDO::FETCH_ASSOC)){
$db_pass = $fetch['userpass'];
require 'PasswordHash.php';
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
if($hasher->CheckPassword($pass, $db_pass)) {
echo "valid";
} else {
echo "invalid"; // VERIFIES INVALID
}
}
}
How is it that;怎么会这样; MySQLi fetches the hashed string different compared to PDO ? MySQLi获取与PDO不同的散列字符串? No matter what encryption I use for hashing the passwords, it CANNOT validate them as true when fetching using PDO , BUT only when fetching using MySQLi ?无论何种加密我使用散列密码,使用取当它不能验证他们作为真正的PDO ,但使用只读取时MySQLi ?
1 个解决方案
解决方案1
0 2016-09-14 00:16:36
The reason because when you comparing the password that the user enter and the password that in the database , its different , the pass that the user enter to log in to his account is not hashed while the one in the database is , so we need a way to hash the entered pass and validate it with the already hashed pass in the database .原因是因为当你比较用户输入的密码和数据库中的密码时,不同的是,用户输入的登录他的帐户的密码不是散列的,而数据库中的密码是散列的,所以我们需要一个散列输入的通行证并使用数据库中已散列的通行证对其进行验证的方法。 How to do that ?怎么做 ? here这里
This is an example from a code that i use in my Control panel :这是我在控制面板中使用的代码示例:
<?php
// connect to your database
if(isset($_POST['btn-login']))
{
$User_name = $_POST['userlogin'];
$password_user = $_POST['pass'];
$FetchUserData = $conn->prepare("SELECT * FROM users WHERE userlogin = ?");
$FetchUserData->execute(array($User_name));
$FetchedData = $FetchUserData->fetch(PDO::FETCH_ASSOC);
if ($FetchedData)
{
$password = $FetchedData['userpassword']; // Save the fetched password inside variable
$isPasswordCorrect = password_verify($password_user, $password);
if( $password_user == $isPasswordCorrect )
{
$_SESSION['login_user']=$User_name;
header("location: home.php");
}
else
{
echo "Password is wrong":
}
}
else
{
echo "User is not exist ";
}
}
?>
This Code line is the code used to hash the enterd pass with the exist pass in the database :此代码行是用于将输入的传递与数据库中的存在传递散列的代码:
$isPasswordCorrect = password_verify($password_user, $password);
Small explanation :小解释:
password_verify(parameterA,parameterB)
parameterA : The password that you want it to be validate .
parameterA :您希望对其进行验证的密码。parameterB : the password that you want it to be validated with .( database that is stored in the database )
参数B:您希望使用它进行验证的密码。(存储在数据库中的数据库)
Hope this answer be helpful for you .希望这个回答对你有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.