1

我正在努力将我的登录系统转换为准备好的语句。我已经设法转换了我的整个 Crud 系统,但只是对最后一部分感到困惑。任何帮助将非常感激。

这是没有准备好的语句的原始登录:

if(isset($_POST['submit'])) {
    $user = mysqli_real_escape_string($con, $_POST['username']);
    $password = mysqli_real_escape_string($con, $_POST['password']);
 
    if($user == "" || $password == "") {
        echo "Either username or password field is empty.";
        echo "<br/>";
        echo "<a href='login.php'>Go back</a>";
    } else {
        $result = mysqli_query($con, "SELECT * FROM login WHERE username='$user' AND password=md5('$password')")
        or die("Could not execute the select query.");
        
        $row = mysqli_fetch_assoc($result);
        
        if(is_array($row) && !empty($row)) {
            $validuser = $row['username'];
            $_SESSION['valid'] = $validuser;
            $_SESSION['name'] = $row['name'];
            $_SESSION['id'] = $row['id'];
        } else {
            echo "Invalid username or password.";
            echo "<br/>";
            echo "<a href='login.php'>Go back</a>";
        }
 
        if(isset($_SESSION['valid'])) {
            header('Location: index.php');            
        }
    }
} else {
?>
    <div class="row">
    <div class="col-md-6 col-md-offset-3">
        <div class="box">
            <h3>Login</h3> 
            <form name="form1" action="" method="POST" enctype="multipart/form-data">
                <input type="text"  name="username" id="username" placeholder="Username" class="form-control"><br>
                <input type="password"  name="password" id="password" placeholder="Password" class="form-control"><br>
                <button type="submit" name="submit" class="btn btn-success button">Login</button>
            </form>
        </div>
    </div>
<?php
}
?>
</body>
</html>

然后是我的 index.php 页面

<?php
    if(isset($_SESSION['valid'])) {            
        include("connect.php");                    
        $result = mysqli_query($con, "SELECT * FROM login");
    ?>                
        Welcome <?php echo $_SESSION['name'] ?> ! <a href='logout.php'>Logout</a><br/>
        <br/>
        <a href='view.php'><?php echo ("<div class='alert alert-success'>Click here to View and Add Products!</div>")?></a>
        <a href='viewuser.php'><?php echo ("<div class='alert alert-success'>Click here to Add Users!</div>")?></a>
        <br/><br/>
    <?php    
    } else {
        echo ("<div class='alert alert-danger'>You must be logged in to access CMS site.</div>"); 
        echo "<a href='login.php' class='btn btn-primary'>Login</a>";
    }
    ?>

这是我到目前为止所做的:

if(isset($_POST['submit'])) {
    $user = $_POST['username'];
    $password = md5(['password']);
 
            $sql = $con->prepare("SELECT * FROM login WHERE username = ? AND password = ?");
            $sql->bind_param("ss", $user, $password);
            $sql->execute();
            $result = $sql->get_result();
            while($row = $result->fetch_assoc()) {
            

        
        $row = mysqli_fetch_assoc($result);  
        
        if(is_array($row) && !empty($row)) {
            $validuser = $row['username'];
            $_SESSION['valid'] = $validuser;
            $_SESSION['name'] = $row['name'];
            $_SESSION['id'] = $row['id'];
        } else {
            echo "Invalid username or password.";
            echo "<br/>";
            echo "<a href='login.php'>Go back</a>";
        }
 
        if(isset($_SESSION['valid'])) {
            header('Location: index.php');            
        }
    }
}
?>
    <div class="row">
    <div class="col-md-6 col-md-offset-3">
        <div class="box">
            <h3>Login</h3> 
            <form name="form1" action="" method="POST" enctype="multipart/form-data">
                <input type="text"  name="username" id="username" placeholder="Username" class="form-control"><br>
                <input type="password"  name="password" id="password" placeholder="Password" class="form-control"><br>
                <button type="submit" name="submit" class="btn btn-success button">Login</button>
            </form>
        </div>
    </div>
</body>
</html>

就这部分而言,我对如何使用 index.php 在准备好的语句中实现它感到非常困惑无论我尝试从互联网上搜索什么,我似乎都无法弄清楚这部分:

$row = mysqli_fetch_assoc($result);
        
        if(is_array($row) && !empty($row)) {
            $validuser = $row['username'];
            $_SESSION['valid'] = $validuser;
            $_SESSION['name'] = $row['name'];
            $_SESSION['id'] = $row['id'];
        } else {
            echo "Invalid username or password.";
            echo "<br/>";
            echo "<a href='login.php'>Go back</a>";
        }
 
        if(isset($_SESSION['valid'])) {
            header('Location: index.php');            
        }
    }
}
4

1 回答 1

0

正如评论已经指出的那样,应该使用像password_hash()这样的适当函数,并将哈希值存储在 type 的字段中varchar(255)

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);

在登录表单中,我们无法直接用 SQL 验证密码,也无法搜索,因为存储的哈希是加盐的,计算单个哈希需要大量时间。相反,我们...

  1. 必须从数据库中读取密码哈希,按用户 ID 搜索
  2. 然后可以使用password_verify()函数根据找到的哈希检查登录密码。

您可以在下面找到 mysqli 的代码示例,展示如何使用 mysqli 连接进行密码验证。该代码没有错误检查以使其可读:

/**
 * mysqli example for a login with a stored password-hash
 */
$mysqli = new mysqli($dbHost, $dbUser, $dbPassword, $dbName);
$mysqli->set_charset('utf8');

// Find the stored password hash in the db, searching by username or email
$sql = 'SELECT password FROM users WHERE username = ?';
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $_POST['username']); // it is safe to pass the user input unescaped
$stmt->execute();

// If this user exists, fetch the password-hash and check it
$isPasswordCorrect = false;
$stmt->bind_result($hashFromDb);
if ($stmt->fetch() === true)
{
  // Check whether the entered password matches the stored hash.
  // The salt and the cost factor will be extracted from $hashFromDb.
  $isPasswordCorrect = password_verify($_POST['password'], $hashFromDb);
}
于 2020-06-25T15:50:26.000 回答