安全注册,使用hash()登录
<?php 
$conn=mysqli_connect("localhost", "root", "","users");

if (!$conn) {
    echo "Bad connection!!!";
}

        $user_name=$_POST['user_name'];
        $user_password=$_POST['user_password'];


$sql_check=mysqli_query($conn, "SELECT user_name, password FROM user_info WHERE user_name='$user_name' AND password='$user_password'") or die("Bad sql query");

if (mysqli_num_rows($sql_check)>0) {
    echo "user exists";
}



else {
    $sql_insert=mysqli_query($conn, "INSERT INTO user_info (id, user_name, password) VALUES (null,'$user_name', '$user_password')");
    echo "New user added!!!";
}
 ?>

 <!DOCTYPE html>
 <html>
 <head>
    <title></title>
 </head>
 <body>



<form method="POST" action="pdo_konekcija.php">
<input type="text" name="user_name">
<input type="password" name="user_name">
<input type="submit" name="btn_submit" value="REGISTER">
</form>


 </body>
 </html>

I have basic form for user registration. I can't figure best way for checking if the user exists or not, so if not I want to register new user as you can see from sql statements. How can I include hash() for password for the user_password field? Both fields must be filled for checking and registering process. Can I use this kind of mysql I procedural way for preventing sql injection or not? I am building register/login from scratch so need help, thank you all.

php
dongyuan1902
dongyuan1902 危险:您很容易受到需要保护自己的SQL注入攻击。
4 年多之前 回复

2个回答



使用PHP的内置函数进行散列和验证密码,但这需要5.5.0及更高版本。
http://php.net/manual/en/function.password-hash.php </ p>

将salt存储在注册时创建的数据库中。
当用户登录时,检查它们是否存在,获取其盐并使用password_verify进行验证。 </ p>

在处理此数据时使用预准备语句来停止SQL注入</ p>

github上有兼容版本( https://github.com/ircmaxell/password_compat )如果你没有5.5.0及以上版本。</ p>
< / DIV>

展开原文

原文

Use PHP's built in functions for hashing and verifying passwords however this requires version 5.5.0 and above. http://php.net/manual/en/function.password-hash.php

Store a salt in the database which is created on registration. When the user logs in, check if they exists, get their salt and verify using password_verify.

Use prepared statements when dealing with this data to stop SQL Injection

There is a compatibility version on github (https://github.com/ircmaxell/password_compat) if you don't have 5.5.0 and above.



要检查用户密码是否匹配,首先检查用户是否存在并检索其密码哈希值,然后通过哈希验证函数运行它 。</ p>

在回答第二个问题时,是的,您当前的系统容易受到SQL注入攻击。</ p>
</ div>

展开原文

原文

For checking if a users password matches, first check the user exists and retrieve their password hash, then run it through your hash verification function afterwards.

In answer to your second question, yes your current system is vulnerable to SQL injection.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐