将发布的密码与MySQL存储的加密密码进行比较 - Compare posted password to MySQL stored crypted password

Compare posted password to MySQL stored crypted password

本文关键字：密码加密比较存储 MySQL | 更新日期: 2023-09-27

My SQL Table：

|-ID-|-Username-|-EmailAddress-|-ePassword-|-Permissions-|
----------------------------------------------------------
|  1 |    Admin |              |           |             |
|  2 |       Foo|<emailaddress>|<cpassword>|  <default 1>|
|    |          |              |           |             |
|    |          |              |           |             |

下面的代码从表单中获取_POST数据，然后引用数据库以检查用户名是否正确，一旦用户名正确，我希望能够$password与数据库中的ePassword进行比较，

ePassword是使用加密进行加密的。php.net 中关于crypt的一个例子说我必须这样做：

if (hash_equals($hashed_password, crypt($user_input, $hashed_password)) {
    echo "Password verified!";
}

比较密码，所以我的将是：

if (hash_equals($hashed_password, crypt($password, $hashed_password)) { //changed $user_input to password
    echo "Password verified!";
}

但是，我将如何从数据库中获取ePassword并进行比较呢？

//User data
$username = strtolower($_POST['username']);
$password = $_POST['password'];
//login check
if($_SESSION['loggedIn'] != "") {
    echo 'You already are using an Account!';
} else if($_SESSION['loggedIn'] == "") {
    //connect to database
    $con =  mysqli_connect($db_host, $db_user, $db_pass, $db_name);
    //check for connection errors
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    };
    //checks for username
    $stmt = $con->prepare("SELECT * FROM Users WHERE Username=?");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $stmt->store_result();
    $userCheck = $stmt->num_rows;
    if($userCheck > 0) {
                                //Password check goes here
    } else {
    };
    $con->close();
};

TL;DR：我想将$password与我的数据库中的ePassword与crypt进行比较，我该怎么做？

    // username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];
    $password=crypt($password,saltUsedWhileRegisteringUser); // Encrypted Password
    //Assuming ePassword is the crypted password inserted into DB while User Registeration
    $sql="SELECT id FROM admin WHERE username='$username' and ePassword ='$password'";
    $result=mysql_query($sql);
    $count=mysql_num_rows($result);//If count > 1 then valid user else not a valid one.

if($userCheck > 0) {
    //Password check goes here
    $stmt->bind_result($id, $username,$emailAddress,$ePassword,$permissions);
    $password = crypt($password,'the same salt used to create ePassword. without it the string will be always random'); 
    if (hash_equals($password,$ePassword) {
        echo 'user logged in';
    else
        echo 'invalid password';
    }
}