我正在尝试检查用户对我保存在数据库中的密码进行哈希密码检查。它与this guy几乎是同一个问题,但我正在尝试使用PDO,我不确定如何从数据库中获取哈希密码以进行检查。这是我到目前为止登录页面的代码:
<?php
ini_set('display_errors', 1);
error_reporting(E_ALL); ini_set('display_errors', 1);
require_once "/home/carlton/public_html/PHPproject/includes/PasswordHash.php";
if ($_POST){
$form = $_POST;
$username = $form['username'];
$password = $form['password'];
try{
$db = new PDO('mysql:host=localhost;dbname=phpproject', 'root', 'pdt1848!');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PODException $e){
echo "Can't connect to the database";
}
$sql = "SELECT * FROM users WHERE username=:username";
$query = $db->prepare($sql);
$query->execute(array(':username'=>$username, ':password'=>$stored_hash));
$results = $query->fetchAll(PDO::FETCH_ASSOC);
$check = $hash_obj->CheckPassword($password, $stored_hash);
if($check){
print_r("Registered user");
}
else{
print_r("Not a registered user");
}
//login here
}
else{
?>
<form name="login" action="login.php" method="POST">
<label for "username">Username: </label>
<input type="text" name="username"/><br />
<label for "password">Password: </label>
<input type="password" name="password"/><br />
<button type="submit">Submit</button>
<button type="reset">Reset Form</button>
</form>
<?php
}
?>
答案 0 :(得分:1)
那很简单。
您必须先选择存储的密码然后验证它。
答案 1 :(得分:0)
伪代码:
$q=$db->prepare('SELECT * FROM usertable WHERE username=? AND passwordhash=?');
$thehashvalue=calc_hash_of_password_according_to_your_agorithm($params);
$theusername=the_username_that_was_posted();
$q->execute(array($theusername, $thehashvalue));
$lastlogin=null;
while($r=$q->fetch(PDO::FETCH_ASSOC)) {
# successfully authenticated
$lastlogin=$r['lastlogin']; ## example. assumes a "lastlogin" column on "usertable"
}
if(!empty($lastlogin)) {
# user is logged in
}else{
# login failed
}
哈希计算函数可以像md5($posted_passwd)一样简单,但最好是对哈希进行加密,这样相同的密码就可以为不同的用户和/或不同的系统提供不同的哈希值。只需确保在数据库中存储密码哈希时使用相同的哈希函数。
答案 2 :(得分:0)
你真的只是比较你的数据库中的哈希密码与输入的密码匹配,一旦它也被类似地哈希。
root帐户访问您的数据库SELECT * - 只需选择您实际需要的列。:username)必须等于查询中绑定参数(':username'=>$username)的数量。否则PDO会抛出错误。print_r是回显变量,特别是数组的值。如果您只是回复字符串作为回复,那么只需print或echo即可。答案 3 :(得分:-1)
这是我的登录工作代码,以防其他人看到类似的问题。我正在寻找的信息是在第20行,从$ response开始。这允许我从数据库中获取密码,我将其设置为$ stored_hash。然后我可以使用PHPass的CheckPassword函数对它进行比较。
<?php
session_start();
ini_set('display_errors', 1);
error_reporting(E_ALL); ini_set('display_errors', 1);
require "/home/carlton/public_html/PHPproject/includes/PasswordHash.php";
if ($_POST){
$form = $_POST;
$username = $form['username'];
$password = $form['password'];
$hash_obj = new PasswordHash(8, false);
try{
$db = new PDO('mysql:host=localhost;dbname=phpproject', 'carl', 'pdt1848?');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PODException $e){
echo "Can't connect to the database";
}
$response = $db->query("SELECT password FROM users WHERE username='$username'");
$data=$response->fetch();
$stored_hash = $data['password'];
$check = $hash_obj->CheckPassword($password, $stored_hash);
if($check){
echo "Login successful!";
$_SESSION['logged_in'] = true;
}
else{
echo "Authentication failed. Please try again.";
}
//login here
}
else{
?>
<form name="login" action="login.php" method="POST">
<label for "username">Username: </label>
<input type="text" name="username"/><br />
<label for "password">Password: </label>
<input type="password" name="password"/><br />
<button type="submit">Submit</button>
<button type="reset">Reset Form</button>
</form>
<?php
}
?>