douwenan9849 2014-05-28 11:43
浏览 49
已采纳

如何从数据库中验证_password

I'm storing a password in a database, like so:

public function add_user($username, $password){

    $password = password_hash($password, PASSWORD_DEFAULT); //here

    $this->query = $this->conn->prepare('INSERT INTO users (username, password) VALUES (:username, :password)');
    $this->query->bindParam(':username', $username);
    $this->query->bindParam(':password', $password);
    $this->query->execute();
}

However, I am not sure how to retrieve it. I know of the function

password_verify($password, $hash)

But I am not sure how to use it. How do I use it to get a user from a database?

What's the best way for me to verify a password with the following code:

public function get_user($username, $password){

    $this->query = $this->conn->prepare('SELECT * from users WHERE username=:username AND password=:password');
    $this->query->bindParam(':username', $username);
    $this->query->bindParam(':password', $password);
    $this->query->execute();
    $this->retrieve = $this->query->fetchAll(PDO::FETCH_ASSOC);
}

Any help or guidance would be great. The logic of this has confused me greatly.

  • 写回答

2条回答 默认 最新

  • dousha1831 2014-05-28 12:14
    关注

    First of all, +1 for using PHP's password functions for password hashing!

    In contrary to normal hashing functions (such as md5(), sha1(), etc. - which should not be used for password hashing), password_hash() will produce a different hash from the same password every time, because it automatically generates a random salt for every hash. This is a great feature that makes your password hashes a lot safer, but it means that you cannot use password_hash() to hash the entered password, and use that hashed password in your SQL query (combined with the username) to retrieve the user.

    Instead, just retrieve the user based on it's username - and then compare the retrieved password hash with the entered password using password_verify(). This function is able to compare the entered password with the stored hash, even if the cost or algorithm have changed.

    Example (using your code):

    public function get_user($username, $password)
{
    $this->query = $this->conn->prepare('SELECT * from users WHERE username=:username LIMIT 1');
    $this->query->bindParam(':username', $username);
    $this->query->execute();
    $user = $this->query->fetch(PDO::FETCH_ASSOC);

    if (password_verify($password, $user['password']) {
        // password is correct, return the user
        return $user;
    } else {
        // incorrect password
        return false;
    }
}

    Increasing the strength of passwords in the future

    As I said before, the new password API allows to upgrade the strength of newly generated password hashes without breaking older ones. This is because the cost and the algorithm (as well as the salt, by the way) are stored within the hash.

    It is advisable to increase the cost over time, as available hardware becomes stronger (decreasing the time it would take for an attacker to brute-force a password).

    If you decide to do so, or if you decide to use another hashing algorithm, don't forget to add a check using password_needs_rehash() in your login procedure. This way existing passwords will be re-hashed as well.

    If the function (called with the hash from the database as a parameter) returns true, simply run password_hash() again and overwrite the old hash in the database with the new hash. This can obviously only be done when users log in, because that is the only time you should have access to the plain-text passwords.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化