我正在尝试使用password_hash()和password_verify()函数从我的MySQL数据库验证用户的哈希密码。我正在尝试使用准备好的PHP语句来实现此目的,以提高安全性,但是没有运气。有人知道为什么吗?
这里是代码:
//check if password is linked to username
$checkpass = $conn->prepare("SELECT user_password FROM user_details WHERE user_password=?");
$checkpass->bind_param("s", $preppass);
$preppass = $password;
$getpass = $checkpass->execute();
//get and check result
$checkpass->bind_result($getpass);
$checkpass->fetch();
if (!password_verify($password, $getpass)) {
echo "<script>console.log('Incorrect username or password!')</script>";
return false;
exit;
}
echo "S<script>console.log('Successfully logged in!')</script>";
$conn->close();
这里是数据库:
我尝试过的:
Unable to extract password hash from database with prepared statements
Verify hashed password from database
我真的很感谢您的帮助。
非常感谢!
您必须使用用户名而不是密码来查找哈希密码,因为您不知道哈希密码是什么。然后使用password_verify()检查输入的密码是否与哈希密码匹配。
$checkpass = $conn->prepare("SELECT user_password FROM user_details WHERE username=?");
$checkpass->bind_param("s", $username);
$checkpass->execute();
//get and check result
$checkpass->bind_result($getpass);
$checkpass->fetch();
if (!password_verify($password, $getpass)) {
echo "<script>console.log('Incorrect username or password!')</script>";
return false;
exit;
}
echo "S<script>console.log('Successfully logged in!')</script>";
$conn->close();
因为您准备的SQL语句正在使用?(WHERE user_password=?"),所以$checkpass->bind_param("s", $preppass);似乎试图将$prepass绑定到不存在的参数:s。
要么使用WHERE user_password=:s"(声明命名的语句参数),要么使用$checkpass->bind_param(1, $preppass);(将普通密码绑定到该语句的第一个?)。