PHP密码验证

时间:2016-06-29 04:49:51

标签: php hash passwords

我无法使用password_verify验证密码。我使用BCRYPT进行密码散列。帮助我在这段代码中找到错误,如何在下面的select语句中绑定变量:

<?php
    if (isset($_POST['submit'])) {
        // echo "ok";
        $con = connect();
        $email = $_POST['email_id'];
        $pass_word = $_POST['pass_word'];
        if ($con) {
            $query = mysqli_query($con,"select * from login where email_id='".$email."'");
            $rows = mysqli_num_rows($query);
            if ($query) {
                $row = mysqli_fetch_assoc($query);
                if ($row) {
                    $hash = $row['password'];
                    if (password_verify($pass_word,$hash) {
                        echo '<strong>Successful' ;
                    } else {
                        echo "Invalid Password";
                    }
                }
            }
        } else {
            die("Connection Error");
        }
    }
?>

3 个答案:

答案 0 :(得分:2)

缺少括号:

在这里改变

if(password_verify($pass_word,$hash)

if(password_verify($pass_word,$hash))

按要求扩展:

"select * from login where email_id='".$email."'";

变为

"select * from login where email_id= ?";

传递给$ mysqli :: prepare:

$stmt = $con->prepare("SELECT * FROM login WHERE email_id= ?");
$stmt->bind_param( "s", $email); // "ss' is a format string, each "s" means string
$stmt->execute();
$stmt->bind_result($email);// then fetch and close the statement

答案 1 :(得分:2)

中需要一个封闭的括号
if(password_verify($pass_word,$hash)

您的查询也会暴露给sql注入尝试准备它并使用

绑定参数
$query=$conn->prepare($con,"select * from login where email_id=?");
$query->bind_param('s',$email); //change 's' with 'i' if you are expecting an integer 
$query->execute()//to execute the query

答案 2 :(得分:2)

将此用于bind param

$stmt = $con->prepare("select * from login where email_id=?");
$stmt->bind_param("s", $email);
$stmt->execute();