hello world! implement password_verify

2019-09-29 17:27发布

站内文章 / PHP
43 0 0

问题:

Im into php and making a login script everything works but I hashed the passwords in Bcrypt in the signup.php, so im having problem input password make it match so i researched VERIFY_PASSWORD but how i implement it on my own script? to clarify if i just copy the hash from table as password it works but i want it to work normal input _POST password, ani input is welcome

login.php

<?php
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
require 'database.php';

$username = $_POST["username"];
$password = $_POST["password"];

$sql = "SELECT * FROM table2 WHERE username = '".$username."' AND password = '$password'";
$result = $conn->query($sql);
$result->execute();
$count = $result->fetchcolumn();
var_dump($result);///if($result === FALSE) { 
if($count == 1 ){
    echo"login";
    header("location:login4.php");
} else { var_dump($count);
    echo"logout";
}  // die(mysql_error()); // TODO: better error handling
///}

///while($row = mysql_fetch_array($result))
///{
   /// echo $row['username'];
///}
///if(!$row = mysqli_fetch_assoc($result)) {
/// echo "dd";


//else {
//  echo "logged in";



?>

<html>



<form action="login3.php" method="post">

<input type="text" name="username">
<input type="password" name="password">
<button type="submit" name="submit">login</button>

</html>

回答1:

First of all, you only have to use "WHERE username =". You don't have to check the password when you do the request.

Secondly, you have to verify the password.

Finally, you should also used prepared statements, it's more secure.

So, your code should look like this (the code provided may not be usable as is but you can tweak it to get the result that you want and read the doc to understand prepared statements and how password_verify works):

$sql = "SELECT * FROM table2 WHERE username = :username";
$request = $conn->prepare($sql);
$request->execute([":username" => $_POST["username"]]);  
$user = $request->fetchAll()[0];

if(password_verify($_POST["password"], $user->password)){
    //user is logged in
}else{
    //password is wrong
}


标签: php passwords
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~