dongying6896 2014-04-18 20:00
浏览 45
已采纳

如何正确使用密码_verify与PDO和盐?

I'm using the password_ compatibility for my password_ functions and I'm trying to protect my users with this password protecting system.

Firstly, I use the password_hash() function for storing a hash of the password into the db, and then, I guess I have to use the password_verify() function when a user logs in so I can verify if he (or she) entered the password correctly.
Actually, I'm stuck in that step... I guess I have to use a salt and a hash in order to use password_verify(), but I don't know exactly how to take the salt created with the password_hash(). I've read the official guide but I cannot find any help there...

This is the code I actually use with the register:

$connection = new PDO(/*My DB details...*/);
$sql = 'INSERT into users(username, password, mail ,sex) VALUES (:username, :password, :mail, :sex)';

$statement = $connection->prepare($sql);

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$statement->bindParam(':username', $_POST['username'], PDO::PARAM_STR, 15);
$statement->bindParam(':password', $password, PDO::PARAM_STR, 30);
$statement->bindParam(':mail', $_POST['mail'], PDO::PARAM_STR, 50);
$statement->bindParam(':sex', $_POST['sex'], PDO::PARAM_STR, 10);
$result = $statement->execute();

Now, I don't know exactly what code I can use for the login system... Because I guess I'd have to use the password_verify(), but I don't know exactly where and how to put it. This is actually the code I have for my login system without password encrypting...

$connection = new PDO(/*My connection info...*/);
        $sql = 'SELECT * FROM users WHERE username = :username AND password = :password';

        $statement = $connection->prepare($sql);

        $statement->bindParam(':username', $_POST['username'], PDO::PARAM_STR, 12);
        $statement->bindParam(':password', $_POST['password'], PDO::PARAM_STR, 30);
        $result = $statement->execute();

        if ($result) {
            $result = $statement->fetchAll();
            if (!empty($result)){
                // Other code I have...
            }

So, what do you recommend me to use now? I'm really lost...
Thanks!

PS: Another thing I want to add is that I think I should store every user salt in the db... Am I right? How can I do it?

  • 写回答

1条回答 默认 最新

  • douqiaotong8682 2014-04-18 20:07
    关注

    To verify a password you have to retrieve it. Means you have to select it, not use in a condition. Once selected, it can be easily verified. Sounds logically?

    For the salt you don't need to worry at all - it s already stored.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化