在登录脚本中将 password_verify 放在哪里? [英] Where to put password_verify in login script?

问题描述

又一个晚上，另一个问题！

我创建了一个登录页面，如果密码是纯文本，它就可以正常工作.

我遇到的问题是我的注册表单使用 password_hash 将加密的密码输入到表中.

我当前的脚本如下.

<块引用>

注册脚本

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

<块引用>

登录脚本

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email AND password=:password");$query->bindParam(':email', $_POST['email']);$query->bindParam(':password', $_POST['password']);$query->execute();if($row = $query->fetch()){$_SESSION['email'] = $row['email'];$_SESSION['first_name'] = $row['first_name'];header("位置:../../myaccount/myaccount.php");}else {header("位置:../../login/login.php");}}?>

关于这个我有几个问题:

1. 我应该将 password_verify 放在登录脚本的什么位置?
2. 不必在我的帐户"页面上输入多个 $_SESSION['xxx'] = $row['xxx']; 来显示用户详细信息，我该如何利用我读过的 $results = $stmt->fetch(PDO::FETCH_ASSOC); 方法?

非常感谢，

西里尔华勒斯

解决方案

在阅读代码之前，请记住 Fake Registration 块不会 在您的代码中，但有必要向您展示这一点，端到端.

setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);//开始假注册//假装用户已经设置了密码(来自某些注册插入程序)//注册例程有 SSL/TLS，安全地传递绑定参数.$hp=password_hash($ctPassword,PASSWORD_DEFAULT);//散列密码，使用$conn->query("delete from user_accounts where email='jsmith123@gmail.com'");$conn->query("insert user_accounts(first_name,last_name,email,password) 值 ('joe','smith','jsmith123@gmail.com','$hp')");//我们已经完成假设我们在您的系统中的某个地方进行了注册//结束假注册$query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");$query->bindParam(':email', $formEmail);$query->execute();未设置($_SESSION['email'])；未设置($_SESSION['first_name'])；if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){$_SESSION['email'] = $row['email'];$_SESSION['first_name'] = $row['first_name'];//header("位置:../../myaccount/myaccount.php");echo "万岁，你通过了身份验证.<br/>";}别的 {//header("位置:../../login/login.php");echo "无效登录
";}#}} catch (PDOException $e) {echo '连接失败:'.$e->getMessage();出口();}?>

浏览器输出:

<块引用>

万岁，你通过了身份验证.

注意，password_hash() 函数使用随机盐，这很明显如果您多次运行它，使用相同的明文输入更改的散列密码，例如这些散列密码:

$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW

如上所述，两者都是相同明文密码的后续散列的结果.salt 和散列 cost 被烘焙到散列密码中并保存.这些电话都可以在下面的链接中阅读.

来自手册 password_hash 和 password_verify.

架构

创建表 user_accounts( id int auto_increment 主键，first_name varchar(50) 不为空，last_name varchar(50) 不为空，电子邮件 varchar(100) 不为空，密码 varchar(255) 不为空);

Another night, another question!

I have created a log in page which works fine if the passwords are in plain text.

The issue I have is that my sign up form uses password_hash to enter an encrypted password to the table.

My current scripts are below.

Sign Up Script

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

Log In Script

<?php
session_start();
    if(isset($_POST['email'], $_POST['password'])){
        require('../../../private_html/db_connection/connection.php');
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email AND password=:password");
        $query->bindParam(':email', $_POST['email']);
        $query->bindParam(':password', $_POST['password']);
        $query->execute();

        if($row = $query->fetch()){
            $_SESSION['email'] = $row['email'];
            $_SESSION['first_name'] = $row['first_name'];
            header("Location: ../../myaccount/myaccount.php");
        }
        else {header("Location:../../login/login.php ");}
    }

?>

I have a couple of questions on this one:

1. Where do I put password_verify in my login script?
2. Instead of having to type in multiple $_SESSION['xxx'] = $row['xxx']; to display the users details on the 'My Account' page, how can I utilise the $results = $stmt->fetch(PDO::FETCH_ASSOC); method that I have read about?

Many thanks in advance,

CyrilWalrus

解决方案

Before you read the code, keep in mind that the Fake Registration block would not be in your code, but it is necessary to show you this, end-to-end.

<?php
session_start();
    // Begin Vault
    // credentials from a secure Vault, not hard-coded
    $servername="localhost";
    $dbname="login_system";
    $username="dbUserName";
    $password="dbPassword";
    // End Vault

    // The following two variables would come from your form, naturally
    // as $_POST[]
    $formEmail="jsmith123@gmail.com";
    $ctPassword="¿^?fish╔&®)";  // clear text password

    try {
        #if(isset($_POST['email'], $_POST['password'])){
        #require('../../../private_html/db_connection/connection.php');
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        // Begin Fake Registration
        //   fake it that user already had password set (from some registration insert routine)
        //   the registration routine had SSL/TLS, safely passing bound parameters.
             $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using 
             $conn->query("delete from user_accounts where email='jsmith123@gmail.com'");
             $conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')");
        //   we are done assuming we had a registration for somewhere in your system
        // End Fake Registration

        $query = $conn->prepare("SELECT * FROM user_accounts WHERE email=:email");
        $query->bindParam(':email', $formEmail);
        $query->execute();

        unset($_SESSION['email']);
        unset($_SESSION['first_name']);

        if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){
            $_SESSION['email'] = $row['email'];
            $_SESSION['first_name'] = $row['first_name'];
            //header("Location: ../../myaccount/myaccount.php");
            echo "hurray, you authenticated.<br/>";
        }
        else {
            //header("Location:../../login/login.php ");
            echo "invalid login<br/>";
        }
        #}
    } catch (PDOException $e) {
        echo 'Connection failed: ' . $e->getMessage();
        exit();
    }
?>

Browser Output:

hurray, you authenticated.

Note, the password_hash() function utilizes a random salt, as is evident if you run it several times, with the hashed password changing with same clearText input, such as these hashed passwords:

$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q

$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW

both of which are the result of subsequent hashings, as mentioned, of the same clear text password. The salt and hash cost are baked into the hashed password and saved. These call all be read about in links below.

From the Manual password_hash and password_verify.

Schema

create table user_accounts
(   id int auto_increment primary key,
    first_name varchar(50) not null,
    last_name varchar(50) not null,
    email varchar(100) not null,
    password varchar(255) not null
);

这篇关于在登录脚本中将 password_verify 放在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！