1. 首頁
  2. 問答
  3. 傳中password_hash場PDO

傳中password_hash場PDO

2017-04-18 101 views
-4

我試圖處理密碼的MD5到數據庫中,這是有關代碼:傳中password_hash場PDO

include_once("config.php"); 
session_start(); 

if(isset($_POST['signup'])){ 
    $name = $_POST['name']; 
    $email = $_POST['email']; 
    $pass = $_POST['pass']; 

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass) 
           values(:name,:email,:pass) "); 
    $insert->bindParam(':name',$name); 
    $insert->bindParam(':email',$email); 
    $insert->bindParam(':pass',$pass); 
    $insert->execute(); 
}elseif(isset($_POST['signin'])){ 
    $email = $_POST['email']; 
    $pass = $_POST['pass']; 

    $select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'"); 
    $select->setFetchMode(); 
    $select->execute(); 
    $data=$select->fetch(); 
    if($data['email']!=$email and $data['pass']!=$pass) { 
     echo "invalid email or pass"; 
    } 
    elseif($data['email']==$email and $data['pass']==$pass) { 
     $_SESSION['email']=$data['email']; 
     $_SESSION['name']=$data['name']; 
     header("location:profile.php"); 
    } 
}

在db什麼長度是合適的存儲這個散列密碼?

我如何使用:

$hashed_password = password_hash($pass, PASSWORD_DEFAULT); 
    var_dump($hashed_password);

和if語句,如果密碼是確定的?

來源

2017-04-18 user2371684

+3

你爲什麼不嘗試看到?它看起來是正確的,除了'md5()'是舊的和破碎的事實。你應該考慮使用'password_hash()'代替 – Qirel

+3

而不是使用'md5',使用'password_ *'api來代替http://stackoverflow.com/questions/30279321/how-to-use-password-hash – Ghost

+0

我改變了我的代碼使用password_hash,但我不知道如何將if語句包裹在我的insert – user2371684

回答

2

一旦您閱讀手冊或在教程中看到示例,它確實非常簡單。看評論在細節

<?php 
include_once("config.php"); 
session_start(); 

if(isset($_POST['signup'])){ 
    $name = $_POST['name']; 
    $email = $_POST['email']; 

    // at signup you hash the user provided password 
    $pass = password_hash($_POST['pass'], PASSWORD_DEFAULT); 

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass) 
           values(:name,:email,:pass) "); 
    $insert->bindParam(':name',$name); 
    $insert->bindParam(':email',$email); 
    $insert->bindParam(':pass',$pass); // this stores the hashed password 
    $insert->execute(); 
}elseif(isset($_POST['signin'])){ 
    $email = $_POST['email']; 
    $pass = $_POST['pass']; 

    // as the password on the DB is hashed you cannot use the 
    // plain text password in the SELECT here as it wont match 
    $select = $pdo->prepare("SELECT * FROM users WHERE email=:email"); 

    // no idea what this was doing 
    //$select->setFetchMode(); 
    $select->bindParam(':email',$email); 
    $select->execute(); 

    $row = $select->fetch(PDO::FETCH_ASSOC); 

    // verify the plain text password against the 
    // hashed value from DB in $row['pass'] 
    if(password_verify($pass, $row['pass'])){ 
     $_SESSION['email'] = $data['email']; 
     $_SESSION['name'] = $data['name']; 
     header("location:profile.php"); 
     exit; 
    } else { 
     echo "invalid email or pass"; 
    } 
}

並作爲在數據庫中,你需要保持這個散列值的列的長度的代碼,它是documented in the manual

The following algorithms are currently supported:

  • PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

  • PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

來源

2017-04-18 23:39:55 RiggsFolly

+0

謝謝:)有一件事我想知道,交給這個哈希密碼,我應該在數據庫中使用什麼樣的varchar長度? – user2371684

+0

查看附加信息在答案 – RiggsFolly

+0

非常感謝:) – user2371684

相關問題

 相關問題