您好, 欢迎来到 !    登录 | 注册 | | 设为首页 | 收藏本站
问答- 问题:在登录脚本中将password_verify放在哪里?

在登录脚本中将password_verify放在哪里?

在登录脚本中将password_verify放在哪里?

,请记住,该Fake Registration块将 您的代码中,但是有必要以端到端的方式向您展示。

<?PHP
session_start();
    // Begin Vault
    // credentials from a secure Vault, not hard-coded
    $servername="localhost";
    $dbname="login_system";
    $username="dbUserName";
    $password="dbPassword";
    // End Vault

    // The following two variables would come from your form, naturally
    // as $_POST[]
    $formEmail="jsmith123@gmail.com";
    $ctPassword="¿^?fish╔&®)";  // clear text password

    try {
        #if(isset($_POST['email'], $_POST['password'])){
        #require('../../../private_html/db_connection/connection.PHP');
        $conn = new PDO("MysqL:host=$servername;dbname=$dbname", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        // Begin Fake Registration
        //   fake it that user already had password set (from some registration insert routine)
        //   the registration routine had SSL/TLS, safely passing bound parameters.
             $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using 
             $conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
             $conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
        //   we are done assuming we had a registration for somewhere in your system
        // End Fake Registration

        $query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
        $query->bindParam(':email', $formEmail);
        $query->execute();

        unset($_SESSION['email']);
        unset($_SESSION['first_name']);

        if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
            $_SESSION['email'] = $row['email'];
            $_SESSION['first_name'] = $row['first_name'];
            //header("Location: ../../myaccount/myaccount.PHP");
            echo "hurray, you authenticated.<br/>";
        }
        else {
            //header("Location:../../login/login.PHP ");
            echo "invalid login<br/>";
        }
        #}
    } catch (PDOException $e) {
        echo 'Connection Failed: ' . $e->getMessage();
        exit();
    }
?>

浏览器输出

欢呼,您通过了身份验证。

请注意,该password_hash()函数利用了随机盐,如果您多次运行它,这很明显,哈希密码使用相同的clearText输入进行 ,例如以下哈希密码:

$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q

$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW

两者都是如上所述的相同明文密码的后续哈希的结果。在salt和散列cost被烤成哈希密码并保存。这些调用都可以在下面的链接中找到。

从手册password_hashpassword_verify中

create table user_accounts
(   id int auto_increment primary key,
    first_name varchar(50) not null,
    last_name varchar(50) not null,
    email varchar(100) not null,
    password varchar(255) not null
);
其他 2022/1/1 18:13:50 有680人围观

撰写回答

你尚未登录,登录后可以

和开发者交流问题的细节

关注并接收问题和回答的更新提醒

参与内容的编辑和改进,让解决方法与时俱进

请先登录

推荐问题

联系我

联系我

602392714

清零编程清零编程群

置顶