dragon87836215 2016-02-01 20:28
浏览 16

关于login.php中的while循环

I have a question, after using this stack post to solve a password_verify issue: How to use password_verify function in PHP

Say I have this login form:

<?php
    session_start();
    if ($_SERVER['REQUEST_METHOD'] == 'GET') { ?>
        <form id="signin_frm" name="signinFrm" action="<?php echo htmlentities($_SERVER['SCRIPT_NAME']) ?>" method="post">
            <label class="label-first" for="email">Email</label>
            <input id="email" type="email" name="login_email" placeholder="Someone@example.com" required>
            <label for="pswd">Password</label>
            <input id="pswd" type="password" name="login_password" placeholder="Password" required>
            <fieldset>
                <input class="btn" type="submit" value="Sign-Up">
            </fieldset>
        </form>
<?php } else {
    $email = $_POST['login_email'];
    $password = $_POST['login_password'];
    $find_pswd = "SELECT password FROM UserLogin WHERE email = '$email';";
    $query = mysqli_query($link, $find_pswd);

    while ($row = mysqli_fetch_array($query)) {
        $user_pass = $row['password'];
        $verify_pass = password_verify($password, $user_pass);
    }

    if ($verify_pass === false) {
        echo "Invalid Password";
    }

    mysqli_free_result($query);
}
?>

If, through the mysql query, I am already retrieving a singular value from the table, why is it necessary to use the While Loop in order for password verification to work (verify_password() returning true)? Is there not a simpler way of doing this?

Prior to implementing the while loop, I had this:

<?php } else {
        $email = $_POST['login_email'];
        $password = $_POST['login_password'];
        $find_pswd = "SELECT password FROM UserLogin WHERE email = '$email';";
        $query = mysqli_query($link, $find_pswd);
        $pswd_fetch = mysqli_fetch_array($query);
        if (password_verify($password, $pswd_fetch) === false) {
            echo "Invalid Password";
        }

        mysqli_free_result($query);
    }
?>

Thank you! Aside from this question, feel free to provide any other suggestions in improving this code. I am looking to keep the login fairly simple, as I am only providing the user means to editing information that is not highly sensitive.

NOTE: The password in the database is hashed (BCrypt). Thanks to those who mentioned hashing!

  • 写回答

3条回答 默认 最新

  • dongtui6347 2016-02-01 20:42
    关注

    Like Marc B said, you don't need to have a While loop.

    It's also a good idea to escape user entered data before querying the DB just to avoid injection, if someone wishes to do hard to your website/database.

     $email = mysqli_real_escape_string($_POST['login_email']);

    You could also instead of doing this:

    if ($_SERVER['REQUEST_METHOD'] == 'GET')

    You could have:

    if(!isset($_POST)){ 
     //Show form 
 } 
  else { 
     //Query DB With POST details
  }
    评论

报告相同问题?

悬赏问题

  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来
  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法