如何在 PHP 中使用 password_verify 函数
How to use password_verify function in PHP
我正在 PHP (login_config.php) 中编写一个基本的网站登录脚本。
我的问题是:关于用户 security/protection,我是否正确实施了 password_verify() 函数?
-注意:Post 数据正在从 login.php
发送
代码(LOGIN_CONFIG.PHP):
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if(!$veri_password === true){$errors[] = '-Account does not exist ';}
编辑:我知道其他缺陷,请注意最初的问题。
您正确使用了明文密码的 password_verify() function as long as $row['password'] is returning the correspondent password hash created by password_hash(),而不是明文密码本身或任何其他值。
Note that no further security concerns are included in this answer.
我正在 PHP (login_config.php) 中编写一个基本的网站登录脚本。
我的问题是:关于用户 security/protection,我是否正确实施了 password_verify() 函数?
-注意:Post 数据正在从 login.php
发送代码(LOGIN_CONFIG.PHP):
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if(!$veri_password === true){$errors[] = '-Account does not exist ';}
编辑:我知道其他缺陷,请注意最初的问题。
您正确使用了明文密码的 password_verify() function as long as $row['password'] is returning the correspondent password hash created by password_hash(),而不是明文密码本身或任何其他值。
Note that no further security concerns are included in this answer.