我用什么来验证
// username and password sent from form
$myusername= filter_var($_POST['myusername'], FILTER_SANITIZE_STRING);
$mypassword= filter_var($_POST['mypassword'], FILTER_SANITIZE_STRING);
$sql = $dbh->prepare("SELECT * FROM $tblname WHERE UserLogin='$myusername'");
$sql->execute();
$sql = $sql->fetch();
$password_hash = $sql['UserPass'];
/*** close the database connection ***/
$dbh = null;
if(crypt($mypassword, $password_hash) == $password_hash){
我正在使用什么来创建密码
$salt = blowfishSalt();
$mypassword = crypt($mypassword, $salt);
$stmt = $dbh->prepare('INSERT INTO Users(UserLogin, UserPass, UserEmail, admin) VALUES(:UserLogin, :UserPass, :UserEmail, :admin)');
$stmt->execute(array(
':UserLogin' => $myusername,
':UserPass' => $mypassword,
':UserEmail' => $myemail,
':admin' => $admin
));
blowfishSalt()
function blowfishSalt($cost = 13) {
if (!is_numeric($cost) || $cost < 4 || $cost > 31) {
throw new Exception("cost parameter must be between 4 and 31");
}
$rand = array();
for ($i = 0; $i < 8; $i += 1) {
$rand[] = pack('S', mt_rand(0, 0xffff));
}
$rand[] = substr(microtime(), 2, 6);
$rand = sha1(implode('', $rand), true);
$salt = '$2a$' . sprintf('%02d', $cost) . '$';
$salt .= strtr(substr(base64_encode($rand), 0, 22), array('+' => '.'));
return $salt;
}
必须删除函数的{},这样它才能在stackoverflow中正确格式化。我还用char(128)将密码存储在mysql数据库中。
验证码中有这个:
crypt($mypassword, $password_hash)
这是创建代码:
$mypassword = crypt($mypassword, $salt);
当然,它们都应该使用$mypassword和$salt吗?