PASSWORD_VERIFY使用正确的密码返回FALSE
所以我尝试从MySQL DB验证用户的散列密码,但password_verify
似乎不起作用。我觉得可能是我做错了什么。
散列并存储密码:
// Set POST variables
$firstname = mysqli_real_escape_string($conn, $_POST['firstname']);
$lastname = mysqli_real_escape_string($conn, $_POST['lastname']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$hashedpwd = password_hash($password, PASSWORD_DEFAULT);
// SQL query & Error Handlers
$sql = "INSERT INTO `users_admin` (Firstname, Lastname, Email, Password) VALUES ('$firstname', '$lastname', '$email', '$hashedpwd')";
检索哈希密码:
if ($row = mysqli_fetch_assoc($result)) {
$user_pass = $row['Password'];
$passwordCheck = password_verify($password, $user_pass);
if (!$passwordCheck) {
header("Location: ../login.php?wrong-password");
exit();
} elseif ($passwordCheck) {
// log in the user
$_SESSION['logged_in'] = true;
$_SESSION['id'] = $row['ID'];
$_SESSION['firstname'] = $row['Firstname'];
$_SESSION['lastname'] = $row['Lastname'];
$_SESSION['email'] = $row['Email'];
header("Location: ../dashboard");
exit();
}
}
password_verify = bool(true)
编辑:
if (isset($_POST['submit'])) {
include('DB_Connect.php');
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
// error handlers
$sql = "SELECT * FROM users_admin WHERE Email = '$email'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../login.php?input:invalid");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)) {
$user_pass = $row['Password'];
$passwordCheck = password_verify($password, $user_pass);
if (!$passwordCheck) {
header("Location: ../login.php?wrong-password");
exit();
} elseif ($passwordCheck) {
// log in the user
$_SESSION['logged_in'] = true;
$_SESSION['id'] = $row['ID'];
$_SESSION['firstname'] = $row['Firstname'];
$_SESSION['lastname'] = $row['Lastname'];
$_SESSION['email'] = $row['Email'];
header("Location: ../dashboard");
exit();
}
}
}
}else{
header("Location: ../login.php?login=error");
exit();
}
解决方案
您发布的代码中没有任何内容会导致描述的问题。
以下是一些提示和改进:
%1。
您正在对密码进行转义/清理,然后再对其进行哈希处理。
这样您就更改了存储的密码
让
$password = $_POST['password'];
创建帐户时和登录时检查密码是否匹配。
2.
确保数据库中的Password
字段(存储哈希密码)最多可以存储255个字符。
来自documentation
建议将结果存储在可以超过60个字符的数据库列中(255个字符将是不错的选择)。
如果字段较窄,则哈希将被截断,您将永远不会有匹配项。
3.
在登录时通过电子邮件获取用户时,请确保Email
在数据库级别(在表定义中)是唯一的(只要您的主键ID
)。
在用户注册和登录(php级别)时也检查这一点是个好主意。
4.
mysqli_fetch_assoc
返回的键值对中的键区分大小写。确保使用与数据库中的字段命名完全相同的键访问这些值。
前在您的代码中,我读到了$row['Email']
。表中的字段名称实际上是Email
还是可能是email
(小写)?
5.
调试代码!
使用调试器或简单地放置断点,如
var_export( $the_variable );
exit();
输入代码的关键点(&Q;)。
6.
使用prepared statements,而不是转义输入并将其直接注入到SQL字符串中。
散列并存储密码:
// Set POST variables
$firstname = mysqli_real_escape_string($conn, $_POST['firstname']);
$lastname = mysqli_real_escape_string($conn, $_POST['lastname']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = $_POST['password'];
$hashedpwd = password_hash($password, PASSWORD_DEFAULT);
// SQL query & Error Handlers
$sql = "INSERT INTO `users_admin` (Firstname, Lastname, Email, Password) VALUES ('$firstname', '$lastname', '$email', '$hashedpwd')";
检索哈希密码:
include('DB_Connect.php');
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = $_POST['password'];
$sql = "SELECT * FROM users_admin WHERE Email = '$email'";
$result = mysqli_query($conn, $sql);
if( $result === false )
{
header("Location: ../login.php?login=error");
exit();
}
$count = mysqli_num_rows($result);
if( $count === 0 )
{
header("Location: ../login.php?input:invalid");
exit();
}
$row = mysqli_fetch_assoc( $result );
$passwordHash = $row['Password'];
$passwordCheck = password_verify( $password, $passwordHash );
if( ! $passwordCheck )
{
header("Location: ../login.php?wrong-password");
exit();
}
// log in the user
$_SESSION['logged_in'] = true;
$_SESSION['id'] = $row['ID'];
$_SESSION['firstname'] = $row['Firstname'];
$_SESSION['lastname'] = $row['Lastname'];
$_SESSION['email'] = $row['Email'];
header("Location: ../dashboard");
exit();
相关文章