Hashing and password_verify

2020-05-06 13:53发布

站内问答 / PHP
1805 2 5

I'm working with my little PHP project and I'm trying to implement hashing on registration and I need to verify my hashed password when user want to log in. I tried a lot but I don't really get how I could use password_verify function in my code.

In my registration.php I have a code:

$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$email = $_POST['email'];

My login.php file looks like this:

$username = $_POST['username'];
        $password = $_POST['password'];

        $username = htmlentities($username, ENT_QUOTES, "utf-8");
        $password = htmlentities($password, ENT_QUOTES, "utf-8");

            if ($result = @$connect_db->query(sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'",
                mysqli_real_escape_string($connect_db, $username),
                mysqli_real_escape_string($connect_db, $password)))
            ) {
                $amount = $result->num_rows;
                if ($amount > 0) {
                    $_SESSION['logged_in'] = true;

                    $row = $result->fetch_assoc();
                    $_SESSION['user_id'] = $row['user_id'];
                    $_SESSION['username'] = $row['username'];
                    $_SESSION['enter code hereemail'] = $row['email'];
                    $_SESSION['admin'] = $row['admin'];

                    unset($_SESSION['error']);
                    $result->free_result();
                    header('Location: dictionary.php');
                } else {
                    $_SESSION['error'] = '<p class="error_m">Invalid username or password!</p>';
                    header('Location: index.php');
                }
            }

My question is about how to use password_verify function in my login.php file?

2条回答
Anthone
2楼-- · 2020-05-06 14:22

When you store the result of password_hash() in the database, you are storing the hashed password. To check if the inputted password is correct to log in a user, you can do something like this (pseudocode):

$result = $db->getAssoc("SELECT password FROM users WHERE username='".$username."'");
if ($result) { 
   if(password_verify($password, $result['password']){
        //log the user in
    }
}

http://php.net/manual/en/function.password-verify.php

查看更多
0人赞 添加讨论(0) 举报
forever°为你锁心
3楼-- · 2020-05-06 14:26

you do not hash the password the user types into the form rather you hash the password when the user is actually registering into your site 

$password = filter_var($_POST['aPass'] , FILTER_SANITIZE_STRING) ;
$newPassword = password_hash($password , PASSWORD_DEFAULT);
// input $newPassword into the database.

For the login process and how to use the password_verify function

$username = filter_var($_POST['username'] , FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['password'],FILTER_SANITIZE_STRING);
// i assume the connection to the database has been established already
$check =  mysqli_query($con , "SELECT passwordtable FROM tablename WHERE usertable=$username") ;
if(mysqli_num_rows($check) === 1){
//fetch the assoc data,would skip that
//since the data has been fetched,we can now use the password_verify function,assuming you saved the fetched data in a variable called $dbPass

if(password_verify($password , $dbPass)){
 //the function takes in two parameters, the first being the inputted pass from your form and the second the hashed password from the database
  header('Location: dictionary.php');
  exit();
} else {
 echo 'Invalid password' ;
}

}

You should also look at mysqli prepared statements

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)