如何在PHP中使用password_verify函数 [英] How to use password_verify function in PHP

问题描述

我正在用PHP(login_config.php)编写一个基本的网站登录脚本.

I am writing a basic website login script in PHP (login_config.php).

我的问题是:我是否在用户安全/保护方面正确实现了password_verify()函数?

My question is: Am I implementing the password_verify() function properly in regards to user security/protection?

-注意:帖子数据是从login.php发送的

-Note: Post data is being sent from login.php

代码(LOGIN_CONFIG.PHP):

CODE (LOGIN_CONFIG.PHP):

        <?php                       //POST VARIABLES
    $submit = $_POST['login_submit'];
    $username = $_POST['login_username'];
    $password = $_POST['login_password'];
    $email = $_POST['login_email'];

    require 'password_config.php';
    if(isset($submit)){
    require 'db/connect.php';
    //PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
    $user_pass = $row['password'];
    $veri_password = password_verify($password, $user_pass);
    }
    if(!$veri_password === true){$errors[] = '-Account does not exist ';}

我知道其他缺陷，请注意最初的问题.

I am aware of other flaws, please regard to the initial question.

推荐答案

您正确使用了 $row['password']返回由对应的密码哈希 ，就可以. nofollow> password_verify()函数. net/manual/en/function.password-hash.php"rel =" nofollow> password_hash()，而不是普通密码本身或其他任何值.

You are correctly using the password_verify() function as long as $row['password'] is returning the correspondent password hash created by password_hash() of the plain password, and not the plain password itself or any other value than that.

请注意，此答案中不包含其他安全问题.

Note that no further security concerns are included in this answer.

这篇关于如何在PHP中使用password_verify函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！