password_hash,password_verify,MySQL的误解? [英] password_hash, password_verify, MySQL misunderstanding?
问题描述
我已经更新了代码,脚本仍然返回失败".信息.我一定想念一些东西,我听了每个人的建议.那或者我只是愚蠢的哈哈!这是更新的代码:
I've updated the code and the script is still returning the "Fail." message. I must be missing something, I've taken everyone's advice. That or I'm just plain stupid LOL! Here's the updated code:
require('../connect.php');
$username = $_POST['username-sign-in'];
$password = $_POST['password-sign-in'];
if true then exit() for {
empty($username);
empty($password);
}
if (isset($username, $password)) {
$getuser = $connection->prepare('SELECT `username`, `password`
FROM `users` WHERE `username` = ?');
$getuser->bind_param('s', $username);
$getuser->execute();
$userdata = $getuser->get_result();
$row = $userdata->fetch_array(MYSQLI_ASSOC);
echo 'Password from form: ' . $password . '<br />';
echo 'Password from DB: ' . $row['password'] . '<br />';
if (password_verify($password, $row['password'])) {
echo 'Success.';
exit();
}
else {
echo 'Fail.';
exit();
}
}
else {
echo 'Please enter your username and password.';
$connection->close();
exit();
}
signup.php
signup.php
require('../connect.php');
$ip = $_SERVER['REMOTE_ADDR'];
$username = $_POST['username-sign-up'];
$password = $_POST['password-sign-up'];
$hashedpassword = password_hash($_POST['password-sign-up'],
PASSWORD_BCRYPT, ['cost' => 12]);
$email = strtolower($_POST['email-sign-up']);
if true then exit() for {
empty($username)
empty($password)
empty($email)
!filter_var($email, FILTER_VALIDATE_EMAIL)
strlen($username) < 2 || strlen($username) > 32
strlen($password) < 6 || strlen($password) > 32
}
$usernameandemailcheck = $connection->prepare('SELECT `username`, `email`
FROM `users` WHERE `username` = ? AND `email` = ?');
$usernameandemailcheck->bind_param('ss', $username, $email);
$usernameandemailcheck->execute();
$result = $usernameandemailcheck->get_result();
$row = $result->fetch_array(MYSQLI_ASSOC);
// .. Username and email validation
if (isset($username, $hashedpassword, $email)) {
// Create and send mail
$query = $connection->prepare('INSERT INTO users (`ip`, `username`,
`password`, `email`) VALUES (?, ?, ?, ?)');
$query->bind_param('ssss', $ip, $username, $hashedpassword, $email);
$query->execute();
// SUCCESS
}
else {
// FAILURE
}
推荐答案
您不能对输入进行哈希处理,然后在数据库中对其进行查询,因为哈希每次都会使用不同的随机盐.因此,您可以将同一密码哈希一千次,并获得1000个不同的结果.
You can't hash the input and then query against that in the database, as the hash will use a different random salt each time. So you could hash the same password a thousand times and get 1000 different results.
您只需在数据库中查询与用户名相关的记录,然后使用password_verify()
将数据库返回的密码哈希与输入密码进行比较.
You need to simply just query the DB for the record related to the username, then compare the password hash returned from the DB with the input password using password_verify()
.
此外,当最初在创建密码(使用password_hash()
)时将哈希写入数据库时,无需转义哈希.密码验证过程中根本不使用password_hash()
.
Also, when initially writing the hash to the DB on password creation (using password_hash()
) there is no need to escape the hash. password_hash()
is not used at all in the password verification process.
这篇关于password_hash,password_verify,MySQL的误解?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!