php如何实现登录验证

PHP 登录验证实现方法

数据库连接与用户表设计

创建一个用户表存储用户名和密码（建议使用哈希加密）

// 数据库连接示例
$host = 'localhost';
$db   = 'database_name';
$user = 'username';
$pass = 'password';
$charset = 'utf8mb4';

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
    $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
    throw new \PDOException($e->getMessage(), (int)$e->getCode());
}

密码哈希处理

注册时使用password_hash()函数加密密码

$password = $_POST['password'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// 存储$hashed_password到数据库

登录验证流程

session_start();

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = $_POST['username'];
    $password = $_POST['password'];

    // 查询数据库获取用户信息
    $stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?');
    $stmt->execute([$username]);
    $user = $stmt->fetch();

    if ($user && password_verify($password, $user['password'])) {
        $_SESSION['user_id'] = $user['id'];
        $_SESSION['username'] = $user['username'];
        header('Location: dashboard.php');
        exit;
    } else {
        $error = '用户名或密码错误';
    }
}

会话管理与安全防护

每次敏感操作前验证会话

session_start();
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

防范SQL注入使用预处理语句 防范XSS攻击对输出进行htmlspecialchars处理

echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

记住登录功能实现

使用安全令牌实现持久登录

if (isset($_POST['remember_me'])) {
    $token = bin2hex(random_bytes(32));
    $expiry = time() + 60 * 60 * 24 * 30; // 30天

    // 存储token到数据库
    $stmt = $pdo->prepare('UPDATE users SET remember_token = ?, token_expiry = ? WHERE id = ?');
    $stmt->execute([$token, date('Y-m-d H:i:s', $expiry), $_SESSION['user_id']]);

    setcookie('remember', $token, $expiry, '/', '', true, true);
}