如何从数据库中验证密码 [英] How to verify_password from a database
问题描述
我将密码存储在数据库中,如下所示:
I'm storing a password in a database, like so:
public function add_user($username, $password){
$password = password_hash($password, PASSWORD_DEFAULT); //here
$this->query = $this->conn->prepare('INSERT INTO users (username, password) VALUES (:username, :password)');
$this->query->bindParam(':username', $username);
$this->query->bindParam(':password', $password);
$this->query->execute();
}
但是,我不确定如何检索它.我知道这个功能
However, I am not sure how to retrieve it. I know of the function
password_verify($password, $hash)
但是我不确定如何使用它.如何使用它从数据库中获取用户?
But I am not sure how to use it. How do I use it to get a user from a database?
我用以下代码验证密码的最佳方法是什么:
What's the best way for me to verify a password with the following code:
public function get_user($username, $password){
$this->query = $this->conn->prepare('SELECT * from users WHERE username=:username AND password=:password');
$this->query->bindParam(':username', $username);
$this->query->bindParam(':password', $password);
$this->query->execute();
$this->retrieve = $this->query->fetchAll(PDO::FETCH_ASSOC);
}
任何帮助或指导都将非常有用.这种逻辑使我非常困惑.
Any help or guidance would be great. The logic of this has confused me greatly.
推荐答案
首先,+ 1是使用PHP的密码功能进行密码哈希!
First of all, +1 for using PHP's password functions for password hashing!
与普通的哈希函数(例如md5(),sha1()等-不应用于密码哈希)相反,password_hash()会产生与每次都使用相同的密码,因为它会为每个哈希自动生成随机盐.这是一个很棒的功能,可以使您的密码哈希更加安全,但这意味着您不能使用password_hash()哈希输入的密码,也不能在SQL查询(与用户名结合使用)中使用该哈希密码来检索用户.
In contrary to normal hashing functions (such as md5(), sha1(), etc. - which should not be used for password hashing), password_hash() will produce a different hash from the same password every time, because it automatically generates a random salt for every hash. This is a great feature that makes your password hashes a lot safer, but it means that you cannot use password_hash() to hash the entered password, and use that hashed password in your SQL query (combined with the username) to retrieve the user.
Instead, just retrieve the user based on it's username - and then compare the retrieved password hash with the entered password using password_verify(). This function is able to compare the entered password with the stored hash, even if the cost or algorithm have changed.
示例(使用您的代码):
Example (using your code):
public function get_user($username, $password)
{
$this->query = $this->conn->prepare('SELECT * from users WHERE username=:username LIMIT 1');
$this->query->bindParam(':username', $username);
$this->query->execute();
$user = $this->query->fetch(PDO::FETCH_ASSOC);
if (password_verify($password, $user['password']) {
// password is correct, return the user
return $user;
} else {
// incorrect password
return false;
}
}
增加将来的密码强度
正如我之前所说,新的密码API允许升级新生成的密码哈希的强度,而不会破坏较旧的密码哈希.这是因为成本和算法(顺便说一下,还有盐)都存储在哈希中.
Increasing the strength of passwords in the future
As I said before, the new password API allows to upgrade the strength of newly generated password hashes without breaking older ones. This is because the cost and the algorithm (as well as the salt, by the way) are stored within the hash.
随着可用硬件的不断完善(减少攻击者暴力破解密码所花费的时间),建议随着时间的推移增加成本.
It is advisable to increase the cost over time, as available hardware becomes stronger (decreasing the time it would take for an attacker to brute-force a password).
If you decide to do so, or if you decide to use another hashing algorithm, don't forget to add a check using password_needs_rehash() in your login procedure. This way existing passwords will be re-hashed as well.
如果函数(使用数据库中的哈希作为参数调用)返回true,则只需再次运行password_hash(),并用新哈希覆盖数据库中的旧哈希.显然,只有在用户登录后才能执行此操作,因为那是您唯一一次有权访问纯文本密码.
If the function (called with the hash from the database as a parameter) returns true, simply run password_hash() again and overwrite the old hash in the database with the new hash. This can obviously only be done when users log in, because that is the only time you should have access to the plain-text passwords.
这篇关于如何从数据库中验证密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
