Question

我正在为iOS应用程序开发登录系统。

这是我用来向应用程序发送JSON响应的PHP脚本的一部分：

if(isset($_POST['correo']) && isset($_POST['pass']) && $_POST['key'] == "123456")
{


    $password = $_POST['pass'];



    $q = mysqli_query($mysqli,"SELECT * FROM users WHERE email = '".$_POST['correo']."' AND 
    encrypted_password = '".$_POST['pass']."'") or die (mysqli_error());

    if(mysqli_num_rows($q) >= 1){
        $r = mysqli_fetch_array($q);

// this is the hash of the password in above example
            $hash = $r['encrypted_password'];

            if (password_verify($password, $hash)) {

                $results = Array("error" => "1","mensaje" => "su ID es ".$r['id'],"nombre" => $r['nombre'],"apellidos" => $r['apellidos'],"email" => $r['email'],
        "imagen" => $r['imagen'],"unidad" => $r['unidad']);

            } else {
                $results = Array("error" => "2","mensaje" => " acceso denegado ");
            }

    }else{
        $results = Array("error" => "3","mensaje" => "no existe");
    }

}

echo json_encode($results);

我的问题是在PHP中使用password_verify。我想知道它是否应该在脚本中工作，然后在应用程序中没有收到JSON响应。

谢谢

Answer 1

您无需在password条件中匹配WHERE，例如：

$q = mysqli_query($mysqli,"SELECT * FROM users WHERE email = '".$_POST['correo']."'") or die (mysqli_error());

        if(mysqli_num_rows($q) >= 1){
                $r = mysqli_fetch_array($q);



                // this is the hash of the password in above example
                $hash = $r['encrypted_password'];

                //you need to match the password from form post against password from DB using password_hash    

                if (password_verify($password, $hash)) {

为了防止SQL注入使用参数化查询ref：How can I prevent SQL injection in PHP?

在PHP中使用password_verify

1 个答案: