Pio*_*lpa 1 passwords codeigniter verify
我的 Codeigniter(3.0 版)登录模块中有这个方法。它工作正常,但这安全吗?是否有更好的解决方案来使用 PHP password_verify 检查登录名和密码?(PHP 5.6,MySQL 5.0)。
$user = $this->input->post('username');
$password = $this->input->post('password');
$myquery = $this->db->query("SELECT * FROM users WHERE user = '$user'");
$row = $myquery->row();
if (isset($row))
{
//Using hashed password - PASSWORD_BCRYPT method - from database
$hash = $row->password;
if (password_verify($password, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
} else{
echo 'Wrong user!';
}
你的代码看起来不错,但你可以用 CI 方式多做一点,更干净一点,在这种情况下,你受到 sql 注入的保护,你有更多的封装
尝试这样的事情:
public function checkLogin()
{
$this->load->library("form_validation");
$arrLoginRules = array
(
array(
"field" => "username",
"label" => "Benutzername",
"rules" => "trim|required"
),
array(
"field" => "password",
"label" => "Passwort",
"rules" => "trim|required"
)
);
$this->form_validation->set_rules($arrLoginRules);
try
{
if (!$this->form_validation->run()) throw new UnexpectedValueException(validation_errors());
$user = $this->input->post('username');
$password = $this->input->post('password');
$query = $this->db
->select("*")
->from("users")
->where("user", $user)
->get();
if ($query->num_rows() != 1) throw new UnexpectedValueException("Wrong user!");
$row = $query->row();
if (!password_verify($password, $row->hash)) throw new UnexpectedValueException("Invalid password!");
echo "valid user";
}
catch(Excecption $e)
{
echo $e->getMessage();
}
}
| 归档时间: |
|
| 查看次数: |
15346 次 |
| 最近记录: |