我正在使用Codeigniter 3.1.8和Bootstrap 4开发一个基本的博客应用程序。该应用程序允许注册和登录。过去使用md5()函数加密的密码:$enc_password = md5($this->input->post('password'));在登录控制器中,我有:public function login() { $this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email'); $this->form_validation->set_rules('password', 'Password', 'required|trim'); $this->form_validation->set_error_delimiters('<p class="error-message">', '</p>'); if ($this->form_validation->run()) { $email = $this->input->post('email'); $password = $this->input->post('password'); $this->load->model('Usermodel'); $current_user = $this->Usermodel->user_login($email, $password); // If we find a user if ($current_user) { // If the user found is active if ($current_user->active == 1) { $this->session->set_userdata( array( 'user_id' => $current_user->id, 'user_email' => $current_user->email, 'user_first_name' => $current_user->first_name, 'user_is_admin' => $current_user->is_admin, 'user_active' => $current_user->active, 'is_logged_in' => TRUE ) );并在模型中:public function user_login($email, $password) { $query = $this->db->get_where('authors', ['email' => $email, 'password' => $hashed_password]); return $query->row();}我有安全问题,所以我在Register控制器中替换md5()为:password_hash()$enc_password = password_hash($this->input->post('password'), PASSWORD_DEFAULT);注册工作正常,数据库中的密码字符串比以前更安全。我已将user_loginUser 模型中的更新为:public function user_login($email, $password) { $query = $this->db->get_where('authors', ['email' => $email, 'password' => $hashed_password]); return $query->row(); }其中$hashed_password来自登录控制:$hashed_password = password_hash($password, PASSWORD_DEFAULT);令我惊讶的是,这种密码匹配不起作用。为了使其工作,我必须对我的登录代码进行最少的更改?
2 回答
一只萌萌小番薯
TA贡献1795条经验 获得超7个赞
我已将用户提供的密码与 匹配password_hash(),两个版本的代码之间的差异最小,通过修改user_login()为:
public function user_login($email, $password) {
$pass_hash_query = $this->db
->select('password')
->get_where('authors', ['email' => $email]);
$pass_hash = $pass_hash_query->row()->password;
if (password_verify($password, $pass_hash)) {
$query = $this->db->get_where('authors', ['email' => $email, 'password' => $pass_hash]);
return $query->row();
}
}
在登录控制器中,我有:
public function login() {
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('password', 'Password', 'required|trim');
$this->form_validation->set_error_delimiters('<p class="error-message">', '</p>');
if ($this->form_validation->run()) {
$email = $this->input->post('email');
$password = $this->input->post('password');
$this->load->model('Usermodel');
$current_user = $this->Usermodel->user_login($email, $password);
// If we find a user
if ($current_user) {
// If the user found is active
if ($current_user->active == 1) {
$this->session->set_userdata(
array(
'user_id' => $current_user->id,
'user_email' => $current_user->email,
'user_first_name' => $current_user->first_name,
'user_is_admin' => $current_user->is_admin,
'user_active' => $current_user->active,
'is_logged_in' => TRUE
)
);
// After login, display flash message
$this->session->set_flashdata('user_signin', 'You have signed in');
//and redirect to the posts page
redirect('/');
} else {
// If the user found is NOT active
$this->session->set_flashdata("login_failure_activation", "Your account has not been activated yet.");
redirect('login');
}
} else {
// If we do NOT find a user
$this->session->set_flashdata("login_failure_incorrect", "Incorrect email or password.");
redirect('login');
}
}
else {
$this->index();
}
}
我希望这对除我以外的许多人有用。
PIPIONE
TA贡献1829条经验 获得超9个赞
如果使用,则不能直接检查字符串password_hash。因为它每次都会给出不同的字符串。
为了检查密码的相等性,您需要使用password_verify方法。
您可以在此处获取整个文档。
下方链接:
secure-hash-passwords-with-php
- 2 回答
- 0 关注
- 193 浏览
添加回答
举报
0/150
提交
取消