PHP password_hash(),password_verify() [英] PHP password_hash(), password_verify()
问题描述
我的注册脚本接受用户的密码,然后使用PHP的password_hash函数对密码进行加密,然后将其放入数据库中.当我使用刚刚创建的用户登录时,出现了检查密码是否相同的错误.就我而言,不是.在登录脚本中调用password_verify函数时,我在做什么错了?
My registration script accepts a user's password and then uses PHP's password_hash function to encrypt the password, then places it in a database. When I go to login using the just created user, I'm getting the error that checks if the passwords are the same or not. In my case, they're not. What am I doing wrong when I make the call to the password_verify function in the login script?
注册
if($_SERVER["REQUEST_METHOD"] == "POST"){
function secure($data){
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return($data);
}
$p_num = secure($_POST["p_number"]);
$first_name = secure($_POST["first_name"]);
$last_name = secure($_POST["last_name"]);
$email = secure($_POST["email"]);
$password = secure($_POST["pw"]);
$verify_password = secure($_POST["pw_verify"]);
$program = secure($_POST["program"]);
$role = secure($_POST["role"]);
$logged_in = 0;
$registered = 0;
$image = "../images/profile_placeholder.png";
if($password != $verify_password){
echo "Nope. Passwords";
}
else{
$registered = 1;
$password = password_hash($password, PASSWORD_DEFAULT);
$insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `image`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$image ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')";
$query = mysqli_query($connect, $insert);
echo "Success!";
}
}
登录
if($_SERVER["REQUEST_METHOD"] == "POST"){
$p_num = $_POST["username"];
$pwd = $_POST["password"];
$query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'";
$result = mysqli_query($connect, $query);
while($row = mysqli_fetch_assoc($result)){
$user_id = "{$row['user_id']}";
$first_name = "{$row['first_name']}";
$last_name = "{$row['last_name']}";
$user_name = $first_name ." " .$last_name;
$password = "{$row['password']}";
$image = "{$row['image']}";
$email = "{$row['email']}";
$program = "{$row['program']}";
$role = "{$row['role']}";
$status = "{$row['logged_in']}";
$registered = "{$row['registered']}";
if(($user_id == $p_num) && (password_verify($pwd, $password))){
$_SESSION["id"] = $user_id;
$_SESSION["user"] = $user_name;
$_SESSION["program"] = $program;
$_SESSION["pass"] = $password;
$_SESSION["image"] = $image;
$_SESSION["email"] = $email;
$_SESSION["role"] = $role;
$_SESSION["status"] = $status;
$_SESSION["registered"] = $registered;
$loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'";
}
var_dump($pwd);
var_dump($password);
}
这是我执行var_dump时得到的:
Here is what I get when I do var_dump:
string(1) "1" string(16) "$2y$10$0aysCso3b"
很显然,密码没有匹配在一起.因此,在注册脚本上,密码被散列并发送到数据库.然后,当用户登录时,登录脚本会查看用户输入的用于登录的密码,然后使用password_verify将其与数据库中的哈希密码进行检查.但是,哈希密码不接受未哈希的密码作为匹配项.我不明白的是,为什么?
So clearly, the passwords are not being matched together. So, on the registration script, the password is hashed and sent to the database. Then, when the user goes to login, the login script looks at the password the user entered to login, and then checks it against the hashed password in the database using password_verify. Yet, the hashed password isn't accepting the un-hashed password as a match. What I'm not understanding is, why?
推荐答案
这是我用于password_hash和password_verify的内容.以书面形式尝试一下,一旦成功,您就可以开始添加其余代码.
Here is what I use for password_hash and password_verify. Try it out as written, you can then start adding in the rest of your code once successful.
修改表和列的名称以适合.
Modify table and column name(s) to suit.
N.B.::这是一种基本的插入方法.我建议您使用 准备好的声明 代替.
N.B.: This is a basic insertion method. I suggest you use prepared statements instead.
旁注:密码列必须足够长才能容纳哈希VARCHAR(255).查阅脚注".
Sidenote: The password column needs to be long enough to accomodate the hash VARCHAR(255). Consult "Footnotes".
插入文件
<?php
$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';
$conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($conn->connect_errno > 0) {
die('Connection failed [' . $conn->connect_error . ']');
}
$password = "rasmuslerdorf";
$first_name = "john";
$password = password_hash($password, PASSWORD_DEFAULT);
$sql = "INSERT INTO users (`name`, `password`) VALUES ('" .$first_name ."', '" .$password ."')";
$query = mysqli_query($conn, $sql);
if($query)
{
echo "Success!";
}
else{
// echo "Error";
die('There was an error running the query [' . $conn->error . ']');
}
登录文件
<?php
// session_start();
$DB_HOST = 'xxx';
$DB_USER = 'xxx';
$DB_PASS = 'xxx';
$DB_NAME = 'xxx';
$conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($conn->connect_errno > 0) {
die('Connection failed [' . $conn->connect_error . ']');
}
$pwd = "rasmuslerdorf";
$first_name = "john";
//$sql = "SELECT * FROM users WHERE id = 1";
$sql = "SELECT * FROM users WHERE name='$first_name'";
$result = $conn->query($sql);
if ($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($pwd, $row['password'])) {
//Password matches, so create the session
// $_SESSION['user'] = $row['user_id'];
// header("Location: http://www.example.com/logged_in.php");
echo "Match";
}else{
echo "The username or password do not match";
}
}
mysqli_close($conn);
脚注:
Footnotes:
密码列应足够长以保存哈希值.散列产生的字符长度为72 long,但手册建议为255.
The password column should be long enough to hold the hash. 72 long is what the hash produces in character length, yet the manual suggests 255.
参考:
使用bcrypt算法(PHP 5.5.0起是默认值).请注意,此常数旨在随着向PHP中添加新的更强大的算法而随时间而变化.因此,结果的长度使用此标识符的时间可能会有所不同.因此,建议将结果存储在数据库列中,该列可以扩展到超过60个字符(255个字符是一个不错的选择)."
这篇关于PHP password_hash(),password_verify()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
