*阅读代码 *之前 ,请记住,该
Fake Registration块将 不在 您的代码中,但是有必要以端到端的方式向您展示。
<?phpsession_start(); // Begin Vault // credentials from a secure Vault, not hard-pred $servername="localhost"; $dbname="login_system"; $username="dbUserName"; $password="dbPassword"; // End Vault // The following two variables would come from your form, naturally // as $_POST[] $formEmail="jsmith123@gmail.com"; $ctPassword="¿^?fish╔&®)"; // clear text password try { #if(isset($_POST['email'], $_POST['password'])){ #require('../../../private_html/db_connection/connection.php'); $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Begin Fake Registration // fake it that user already had password set (from some registration insert routine) // the registration routine had SSL/TLS, safely passing bound parameters. $hp=password_hash($ctPassword,PASSWORD_DEFAULT); // hashed password, using $conn->query("delete from user_accounts where email='jsmith123@gmail.com'"); $conn->query("insert user_accounts(first_name,last_name,email,password) values ('joe','smith','jsmith123@gmail.com','$hp')"); // we are done assuming we had a registration for somewhere in your system // End Fake Registration $query = $conn->prepare("SELECt * FROM user_accounts WHERe email=:email"); $query->bindParam(':email', $formEmail); $query->execute(); unset($_SESSION['email']); unset($_SESSION['first_name']); if(($row = $query->fetch()) && (password_verify($ctPassword,$row['password']))){ $_SESSION['email'] = $row['email']; $_SESSION['first_name'] = $row['first_name']; //header("Location: ../../myaccount/myaccount.php"); echo "hurray, you authenticated.<br/>"; } else { //header("Location:../../login/login.php "); echo "invalid login<br/>"; } #} } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); exit(); }?>浏览器输出:
欢呼,您通过了身份验证。
请注意,该
password_hash()函数利用了随机盐,如果您多次运行它,这很明显,哈希密码使用相同的clearText输入进行 更改
,例如以下哈希密码:
$2y$10$KywNHrGiPaK9JaWvOrc8UORdT8UXe60I2Yvj86NGzdUH1uLITJv/q$2y$10$vgJnAluvhfdwerIX3pAJ0u2UKi3J.pfvd0vIqAwL0Pjr/A0AVwatW
两者都是如上所述的相同明文密码的后续哈希的结果。在
salt和散列
cost被烤成哈希密码并保存。这些调用都可以在下面的链接中找到。
从手册password_hash和password_verify中。
架构图
create table user_accounts( id int auto_increment primary key, first_name varchar(50) not null, last_name varchar(50) not null, email varchar(100) not null, password varchar(255) not null);
