Question

我正在尝试将密码作为md5处理到数据库中，这是相关的代码：

include_once("config.php");
session_start();

if(isset($_POST['signup'])){
    $name = $_POST['name'];
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass)
                                values(:name,:email,:pass) ");
    $insert->bindParam(':name',$name);
    $insert->bindParam(':email',$email);
    $insert->bindParam(':pass',$pass);
    $insert->execute();
}elseif(isset($_POST['signin'])){
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    $select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
    $select->setFetchMode();
    $select->execute();
    $data=$select->fetch();
    if($data['email']!=$email and $data['pass']!=$pass) {
        echo "invalid email or pass";
    }
    elseif($data['email']==$email and $data['pass']==$pass) {
        $_SESSION['email']=$data['email'];
        $_SESSION['name']=$data['name'];
        header("location:profile.php"); 
    }
}

数据库中的长度适合存储此哈希密码？

我该如何使用它：

$hashed_password = password_hash($pass, PASSWORD_DEFAULT);
     var_dump($hashed_password);

和if语句，如果密码正常吗？

Answer 1

一旦您阅读本手册或在教程中查看示例，它就非常简单。有关详细信息，请参阅代码中的注释

<?php
include_once("config.php");
session_start();

if(isset($_POST['signup'])){
    $name = $_POST['name'];
    $email = $_POST['email'];

    // at signup you hash the user provided password
    $pass = password_hash($_POST['pass'], PASSWORD_DEFAULT);

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass)
                                values(:name,:email,:pass) ");
    $insert->bindParam(':name',$name);
    $insert->bindParam(':email',$email);
    $insert->bindParam(':pass',$pass);   // this stores the hashed password
    $insert->execute();
}elseif(isset($_POST['signin'])){
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    // as the password on the DB is hashed you cannot use the
    // plain text password in the SELECT here as it wont match
    $select = $pdo->prepare("SELECT * FROM users WHERE email=:email");

    // no idea what this was doing
    //$select->setFetchMode();
    $select->bindParam(':email',$email);
    $select->execute();

    $row = $select->fetch(PDO::FETCH_ASSOC);

    // verify the plain text password against the 
    // hashed value from DB in $row['pass']
    if( password_verify($pass, $row['pass']) ){
        $_SESSION['email'] = $data['email'];
        $_SESSION['name']  = $data['name'];
        header("location:profile.php"); 
        exit;
    } else {
        echo "invalid email or pass";
    }
}

至于数据库中需要保存此哈希值的列的长度，它是documented in the manual

目前支持以下算法：



PASSWORD_DEFAULT - 使用bcrypt算法（默认自PHP 5.5.0起）。请注意，此常量旨在随着时间的推移而变化，因为新的和更强大的算法被添加到PHP中。因此，使用此标识符的结果长度可能会随时间而变化。因此，建议将结果存储在数据库列中，该列可以扩展到超过60个字符（255个字符将是一个不错的选择）。



PASSWORD_BCRYPT - 使用CRYPT_BLOWFISH算法创建哈希。这将使用“$ 2y $”标识符生成标准的crypt（）兼容哈希。结果将始终为60个字符的字符串，或者失败时为FALSE。

使用pdo传入password_hash字段

1 个答案: