我是PHP和MySQL的初学者。我正在尝试验证MySQL 5.7 DB中的用户输入(用户名和密码),但没有机会。让我解释一下我的问题;
我在firstdb创建了一个用户名:firstuser密码:firstpassword,通过phpMyAdmin页面。
CODE(check_user-pass.php)
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="rootpassword"; // Mysql password
$db_name="firstdb"; // Database name
$tbl_name="mysql.user"; // Table name
$conn = new mysqli($host, $username, $password, $db_name);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
// Define $username and $password
$myusername=$_POST['EMail'];
$mypassword=$_POST['Password'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = mysqli_real_escape_string($conn,$_POST['EMail']);
$mypassword = mysqli_real_escape_string($conn,$_POST['Password']);
$sql="SELECT * FROM $tbl_name WHERE user='$myusername' and authentication_string='$mypassword'";
$result = $conn->query($sql);
$count = 0;
// Mysql_num_row is counting table row
if ($result = mysqli_query($conn, $sql)) {
/* determine number of rows result set */
$count = mysqli_num_rows($result);
printf("Result set has %d rows.\n", $count);
/* close result set */
mysqli_free_result($result);
}
// If result matched $username and $password, table row must be 1 row
if ($count==1) {
echo "Success! $count";
} else {
echo "Unsuccessful! $count";
}
ob_end_flush();
?>
代码返回: Connected successfullyResult set has 0 rows. Unsuccessful! 0
如果我删除此行:and authentication_string='$mypassword' 代码返回: Connected successfullyResult set has 1 rows. Success! 1
我成功检索了从index.php到check_user-pass.php的用户输入,但mysql.user表中没有明确的密码列用于数据库中的匹配。
我在网上搜索并找到; password列已在5.x中更改为authentication_string,但此列包含散列内容。所以我无法将此用户密码与此匹配。
问题1
我应该创建一个表并为DB中的每个用户存储用户名和清除密码以进行验证吗?
问题2
如果问题1答案为否,如何实现此验证问题?
答案 0 :(得分:-2)
我为我自己写过一个班级的人做了很多登录,如果你感兴趣的话就在github上 https://github.com/wazimshizm/secure-login
最简单的开箱即用身份验证,使用它来存储&amp;比较密码:
password_hash($passwordVariable, PASSWORD_DEFAULT);
password_verify($inputPassword, $storedPassword);