我无法使用password_verify验证密码。我使用BCRYPT进行密码散列。帮助我在这段代码中找到错误,如何在下面的select语句中绑定变量:
<?php
if (isset($_POST['submit'])) {
// echo "ok";
$con = connect();
$email = $_POST['email_id'];
$pass_word = $_POST['pass_word'];
if ($con) {
$query = mysqli_query($con,"select * from login where email_id='".$email."'");
$rows = mysqli_num_rows($query);
if ($query) {
$row = mysqli_fetch_assoc($query);
if ($row) {
$hash = $row['password'];
if (password_verify($pass_word,$hash) {
echo '<strong>Successful' ;
} else {
echo "Invalid Password";
}
}
}
} else {
die("Connection Error");
}
}
?>
答案 0 :(得分:2)
缺少括号:
在这里改变
if(password_verify($pass_word,$hash)
到
if(password_verify($pass_word,$hash))
按要求扩展:
"select * from login where email_id='".$email."'";
变为
"select * from login where email_id= ?";
传递给$ mysqli :: prepare:
$stmt = $con->prepare("SELECT * FROM login WHERE email_id= ?");
$stmt->bind_param( "s", $email); // "ss' is a format string, each "s" means string
$stmt->execute();
$stmt->bind_result($email);// then fetch and close the statement
答案 1 :(得分:2)
在
中需要一个封闭的括号if(password_verify($pass_word,$hash)
您的查询也会暴露给sql注入尝试准备它并使用
绑定参数$query=$conn->prepare($con,"select * from login where email_id=?");
$query->bind_param('s',$email); //change 's' with 'i' if you are expecting an integer
$query->execute()//to execute the query
答案 2 :(得分:2)
将此用于bind param
$stmt = $con->prepare("select * from login where email_id=?");
$stmt->bind_param("s", $email);
$stmt->execute();