,请记住,该Fake Registration
块将 您的代码中,但是有必要以端到端的方式向您展示。
<?PHP
session_start();
// Begin Vault
// credentials from a secure Vault, not hard-coded
$servername="localhost";
$dbname="login_system";
$username="dbUserName";
$password="dbPassword";
// End Vault
// The following two variables would come from your form, naturally
// as $_POST[]
$formEmail="jsmith123@gmail.com";
$ctPassword="¿^?fish╔&®)"; // clear text password
try {
#if(isset($_POST['email'], $_POST['password'])){
#require('../../../private_html/db_connection/connection.PHP');
$conn = new PDO("MysqL:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Begin Fake Registration
// fake it that user already had password set (from some registration insert routine)
// the registration routine had SSL/TLS, safely passing bound parameters.
$hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using
$conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
$conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
// we are done assuming we had a registration for somewhere in your system
// End Fake Registration
$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
$query->bindParam(':email', $formEmail);
$query->execute();
unset($_SESSION['email']);
unset($_SESSION['first_name']);
if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
$_SESSION['email'] = $row['email'];
$_SESSION['first_name'] = $row['first_name'];
//header("Location: ../../myaccount/myaccount.PHP");
echo "hurray, you authenticated.<br/>";
}
else {
//header("Location:../../login/login.PHP ");
echo "invalid login<br/>";
}
#}
} catch (PDOException $e) {
echo 'Connection Failed: ' . $e->getMessage();
exit();
}
?>
浏览器输出:
欢呼,您通过了身份验证。
请注意,该password_hash()
函数利用了随机盐,如果您多次运行它,这很明显,哈希密码使用相同的clearText输入进行 ,例如以下哈希密码:
$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q
$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW
两者都是如上所述的相同明文密码的后续哈希的结果。在salt
和散列cost
被烤成哈希密码并保存。这些调用都可以在下面的链接中找到。
从手册password_hash和password_verify中。
create table user_accounts
( id int auto_increment primary key,
first_name varchar(50) not null,
last_name varchar(50) not null,
email varchar(100) not null,
password varchar(255) not null
);