dongshi4078 2014-03-20 22:21
浏览 40
已采纳

用PHP比较MySql密码()

I have found this post helpful MySQL password() function to PHP but I am having trouble applying the solution offered there to my problem.

A password was stored in a Mysql using Password(). I want to adapt this script to compare the entered password with the one stored in the database, rather than use the 'crypt()' function. 

    public function authenticate($user,$pass) {
        $mysqli = new mysqli(DBHOST,DBUSER,DBPASS,DB);
        if ($mysqli->connect_errno) {
        error_log("Cannot connect to MySQL: " . $mysqli->connect_error);
        return false;
        }
        $safeUser = $mysqli->real_escape_string($user);
        $incomingPassword = $mysqli->real_escape_string($pass);
        $query = "SELECT * from users WHERE username ='{$safeUser}'";
        if (!$result = $mysqli->query($query)) {
            error_log("Cannot retrieve account for {$user}");
            return false;
        }

        // Will be only one row, so no while() loop needed
        $row = $result->fetch_assoc();
        $dbPassword = $row['password'];
        if (crypt($incomingPassword,$dbPassword) != $dbPassword) {
        error_log("Passwords for {$user} don't match");
        return false;
        }
        $this->id = $row['id'];
        $this->firstName = $row['first_name'];
        $this->lastName = $row['last_name'];            
        $this->username = $row['username'];
        $this->email = $row['email'];
        $this->dateJoin = $row['dateJoin'];
        $this->school = $row['school'];
        $this->level = $row['level'];
        $this->isLoggedIn = true;
        $this->_setSession();
        return true;
    } //end function authenticate

Is there an easy way to adapt this script? Do I just add 

AND `password` = PASSWORD('{$incomingPassword}')

to my query? This seems a little clumsy.

  • 写回答

1条回答 默认 最新

  • douyan6742 2014-03-21 09:19
    关注

    Are you really sure the passwords where hashed with the MySql Password() function, because this function is not meant to be used in applications? It is not possible to store passwords safely and verify passwords in an SQL-query directly.

    You really should use a slow hashing function like BCrypt, and salting is mandatory. That means, that you need a two step process, first get the stored password hash by username with an SQL-query, then extract the salt from the hash and do the verification.

    The recommended way to hash passwords with PHP is the new function password_hash():

    // Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

    If you are interested in more in-depth information about this topic, you can have a look at my tutorial about safely storing passwords.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 C++ yoloV5改写遇到的问题
  • ¥20 win11修改中文用户名路径
  • ¥15 win2012磁盘空间不足,c盘正常,d盘无法写入
  • ¥15 用土力学知识进行土坡稳定性分析与挡土墙设计
  • ¥70 PlayWright在Java上连接CDP关联本地Chrome启动失败,貌似是Windows端口转发问题
  • ¥15 帮我写一个c++工程
  • ¥30 Eclipse官网打不开,官网首页进不去,显示无法访问此页面,求解决方法
  • ¥15 关于smbclient 库的使用
  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?