doumei1926
2015-03-13 14:28
浏览 50
已采纳

验证PDO预处理语句中的password_hash()

I'm trying to use the bcrypt algorithm for hashing the passwords but I've ran into a couple of problems. First of all, I can't find the appropriate spot to check whether password_verify() returns true.

$admin = $_POST['admin-user'];
$pass = $_POST['admin-pass'];

$password_hash = password_hash($pass, PASSWORD_BCRYPT);

if (isset($admin)&&isset($pass)&&!empty($admin)&&!empty($pass)) {

$admin_select = $link->prepare("SELECT `id` FROM `admins` WHERE `username` = :admin");

$admin_passwd = $link->prepare("SELECT `password` FROM `admins` WHERE `username` = :admin_pw");
$admin_passwd->execute(array(':admin_pw' => $admin));
$admin_pwd = $admin_passwd->fetch(PDO::FETCH_ASSOC);

    if (password_verify($pass, $admin_pwd)){

            if ($admin_select->execute(array(':admin' => $admin))) {
                $res = $link->query('SELECT COUNT(*) FROM requests');
                $query_num_rowz = $res->fetchColumn();
            if ($query_num_rowz == 0) {
                echo 'No records found';
            } else if ($query_num_rowz > 0) {
                $query = $link->prepare("SELECT id FROM admins WHERE username = :admin");
                 $query->execute(array(':admin' => $admin));
                 $admin_id = $query->fetch(PDO::FETCH_ASSOC);
                $_SESSION['admin_id'] = $admin_id;
                header('Location: index.php');
            }
        }
    }
}

Second of all, I'm not sure this is the right way to select the user's password.

$admin_passwd = $link->prepare("SELECT `password` FROM `admins` WHERE `username` = :admin_pw");
$admin_passwd->execute(array(':admin_pw' => $admin));
$admin_pwd = $admin_passwd->fetch(PDO::FETCH_ASSOC);

1条回答 默认 最新

相关推荐 更多相似问题