在login脚本中把password_verify放在哪里?
又一个晚上,另一个问题!
我创build了一个login页面,如果密码是纯文本,那么这个页面就可以正常工作。
我的问题是,我的registry单使用password_hashinput一个encryption的密码到表中。
我目前的脚本如下。
注册脚本
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); login脚本
<?php session_start(); if(isset($_POST['email'], $_POST['password'])){ require('../../../private_html/db_connection/connection.php'); $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email AND password=:password"); $query->bindParam(':email', $_POST['email']); $query->bindParam(':password', $_POST['password']); $query->execute(); if($row = $query->fetch()){ $_SESSION['email'] = $row['email']; $_SESSION['first_name'] = $row['first_name']; header("Location: ../../myaccount/myaccount.php"); } else {header("Location:../../login/login.php ");} } ?>
我对这个问题有几个问题:
- 我在哪里将
password_verify放在我的login脚本中? - 而不必input多个
$_SESSION['xxx'] = $row['xxx'];要在“我的账户”页面上显示用户详细信息,我该如何利用$results = $stmt->fetch(PDO::FETCH_ASSOC);我读过的方法?
提前谢谢了,
CyrilWalrus
在阅读代码之前 ,请记住Fake Registration块不在您的代码中,但有必要向您展示这一点,端到端。
<?php session_start(); // Begin Vault // credentials from a secure Vault, not hard-coded $servername="localhost"; $dbname="login_system"; $username="dbUserName"; $password="dbPassword"; // End Vault // The following two variables would come from your form, naturally // as $_POST[] $formEmail="jsmith123@gmail.com"; $ctPassword="¿^?fish╔&®)"; // clear text password try { #if(isset($_POST['email'], $_POST['password'])){ #require('../../../private_html/db_connection/connection.php'); $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Begin Fake Registration // fake it that user already had password set (from some registration insert routine) // the registration routine had SSL/TLS, safely passing bound parameters. $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using $conn->query("delete from user_accounts where email='jsmith123@gmail.com'"); $conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')"); // we are done assuming we had a registration for somewhere in your system // End Fake Registration $query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email"); $query->bindParam(':email', $formEmail); $query->execute(); unset($_SESSION['email']); unset($_SESSION['first_name']); if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){ $_SESSION['email'] = $row['email']; $_SESSION['first_name'] = $row['first_name']; //header("Location: ../../myaccount/myaccount.php"); echo "hurray, you authenticated.<br/>"; } else { //header("Location:../../login/login.php "); echo "invalid login<br/>"; } #} } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); exit(); } ?>
浏览器输出:
欢呼,你authentication。
请注意, password_hash()函数使用随机salt,如果多次运行,密码更改为clearTextinput,例如散列密码:
$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q $2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW
这两者都是后面的散列的结果,如上所述,具有相同的明文密码。 salt和散列cost被烧入散列密码并保存。 这些电话都在下面的链接中阅读。
从手动password_hash和password_verify 。
架构
create table user_accounts ( id int auto_increment primary key, first_name varchar(50) not null, last_name varchar(50) not null, email varchar(100) not null, password varchar(255) not null );
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=?"); $query->execute([$_POST['email']]); if($row = $query->fetch() && password_verify($_POST['password'], $row['password'])){ $_SESSION['user'] = $row;
