dsfw2154 2014-11-28 22:03
浏览 47
已采纳

PHP 5.5 Password Hashing API比较2个password_hash()变量的正确方法

I am setting up a registration form and am using the password hashing api, which from what i have read is currently the best way to protect passwords.

my form is

    <form action="register.php" method="post">
        <div class="fluid reg_firstname">
            <label for="first-name">First Name</label>
            <input name="first-name" type="text" style="width:90%;">
        </div>

        <div class="fluid reg_lastname">
            <label for="last-name">Last Name</label>
            <input name="last-name" type="text" style="width:90%;">
        </div>

        <div class="fluid reg_email">
            <label for="email">Email</label>
            <input name="email" type="text" style="width:50%;">
        </div>

        <div class="fluid reg_password">
            <label for="create-password">Create Password</label>
            <input name="create-password" type="password" style="width:70%;">
        </div>
        <div class="fluid reg_password">
            <label for="confirm-password">Confirm Password</label>
            <input name="confirm-password" type="password" style="width:70%;">
        </div>

        <div class="fluid reg_agreement">
        <p>
        By clicking 'Submit' I agree that:
        </p>
        <ul>
            <li>I accept the User Agreement- opens in a new window or tab.</li>
            <li>I give consent to the processing of my data- opens in a new window or tab.</li>
            <li>I may receive communications from SLF and I understand that I can change my notification preferences at any time in My Account.</li>
            <li>I am at least 18 years old.</li>
        </ul>
        </div>

        <div class="fluid reg_submit">
            <input name="step1" type="submit" value="Submit">
        </div>
    </form>

So i am adding some validtion to my form once the submit button is pressed which looks like this

<?php if(isset($_POST['step1']))
{
    #RETRIEVE VARIBLES
    $first = mysqli_real_escape_string($db,$_POST['first-name']);
    $last = mysqli_real_escape_string($db,$_POST['last-name']);
    $email = mysqli_real_escape_string($db,$_POST['email']);
    $password1 = password_hash($_POST['create-password'], PASSWORD_DEFAULT);
    $password2 = password_hash($_POST['confirm-password'], PASSWORD_DEFAULT);


    #VALIDATION CHECKS

    if($first == "")
    {
        $error[] = "Please Enter First Name";
    }
    if(strlen($first) < 2 OR strlen($first) > 16)
    {
        $error[] = "Name between 2 and 16 chars long";
    }
    if(!ctype_alnum ( $first ))
    {
        $error[] = "Letters Only Please";   
    }       

    if($last == "")
    {
        $error[] = "Please Enter Last Name";
    }
    if(strlen($last) < 2 OR strlen($last) > 16)
    {
        $error[] = "Surname between 2 and 16 chars long";
    }
    if(!ctype_alnum ( $last ))
    {
        $error[] = "Letters Only Please";   
    }

    if($email == "")
    {
        $error[] = "Please Enter Vaild Email";
    }
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) 
    {
        $error[] = "Invalid email format";
    }

    if($password1 == "")
    {
        $error[] = "Please enter a valid password";
    }   

    if($password1 <> $password2)
    {
        $error[] = "Passwords Dont Match";
    }


    if(isset($error) && (count($error) >0))
    {
        echo "<pre>";
        print_r($error);
        echo "</pre>";
    }

    echo "step one complete<br />";
    echo $password1."<br />".$password2;
}?>

the trouble im having is with my password check

if($password1 <> $password2)
{
    $error[] = "Passwords Dont Match";
}

im checking if the two varibles match but im guessing because i have added the password_hash to them it is checking the hash value and not the actual value entered by the user? how would i correct this so it checks the actual data and not the hash value (which will never match)?

appreciate any help!

Cheers

  • 写回答

1条回答 默认 最新

  • dongwuge6201 2014-11-28 22:12
    关注

    If you want to test the original data, then why not just actually test the original data?

    if($_POST['create-password'] <> $_POST['confirm-password'])
{
    $error[] = "Passwords Dont Match";
}

    Am I missing something?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog