如何在PHP中使用password_verify函数 [英] How to use password_verify function in PHP
问题描述
我正在用PHP(login_config.php)编写一个基本的网站登录脚本.
I am writing a basic website login script in PHP (login_config.php).
我的问题是:我是否在用户安全/保护方面正确实现了password_verify()函数?
My question is: Am I implementing the password_verify() function properly in regards to user security/protection?
-注意:帖子数据是从login.php发送的
-Note: Post data is being sent from login.php
代码(LOGIN_CONFIG.PHP):
CODE (LOGIN_CONFIG.PHP):
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if(!$veri_password === true){$errors[] = '-Account does not exist ';}
我知道其他缺陷,请注意最初的问题.
I am aware of other flaws, please regard to the initial question.
推荐答案
您正确使用了 $row['password']
返回由
You are correctly using the password_verify() function as long as $row['password']
is returning the correspondent password hash created by password_hash() of the plain password, and not the plain password itself or any other value than that.
请注意,此答案中不包含其他安全问题.
Note that no further security concerns are included in this answer.
这篇关于如何在PHP中使用password_verify函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!