我无法使用password_verify验证密码。我使用BCRYPT进行密码散列。帮助我找到这段代码中的错误,以及如何在下面的select语句中绑定变量:
<?php
if (isset($_POST['submit'])) {
// echo "ok";
$con = connect();
$email = $_POST['email_id'];
$pass_word = $_POST['pass_word'];
if ($con) {
$query = mysqli_query($con,"select * from login where email_id='".$email."'");
$rows = mysqli_num_rows($query);
if ($query) {
$row = mysqli_fetch_assoc($query);
if ($row) {
$hash = $row['password'];
if (password_verify($pass_word,$hash) {
echo '<strong>Successful' ;
} else {
echo "Invalid Password";
}
}
}
} else {
die("Connection Error");
}
}
?>
缺少括号:
改变这里
if(password_verify($pass_word,$hash)
if(password_verify($pass_word,$hash))
扩展为请求:
"select * from login where email_id='".$email."'";
是
"select * from login where email_id= ?";
传递给$mysqli::prepare:
$stmt = $con->prepare("SELECT * FROM login WHERE email_id= ?");
$stmt->bind_param( "s", $email); // "ss' is a format string, each "s" means string
$stmt->execute();
$stmt->bind_result($email);// then fetch and close the statement
需要一个右括号吗?
if(password_verify($pass_word,$hash)
也是你的查询暴露于SQL注入尝试准备它并绑定参数与
$query=$conn->prepare($con,"select * from login where email_id=?");
$query->bind_param('s',$email); //change 's' with 'i' if you are expecting an integer
$query->execute()//to execute the query
bind param
$stmt = $con->prepare("select * from login where email_id=?");
$stmt->bind_param("s", $email);
$stmt->execute();