PASSWORD_VERIFY使用正确的密码返回FALSE

2022-06-26 00:00:00 passwords php verify

所以我尝试从MySQL DB验证用户的散列密码,但password_verify似乎不起作用。我觉得可能是我做错了什么。

散列并存储密码:

// Set POST variables
$firstname = mysqli_real_escape_string($conn, $_POST['firstname']);
$lastname = mysqli_real_escape_string($conn, $_POST['lastname']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$hashedpwd = password_hash($password, PASSWORD_DEFAULT);

// SQL query & Error Handlers
$sql = "INSERT INTO `users_admin` (Firstname, Lastname, Email, Password) VALUES ('$firstname', '$lastname', '$email', '$hashedpwd')";

检索哈希密码:

 if ($row = mysqli_fetch_assoc($result)) {
        $user_pass = $row['Password'];
        $passwordCheck = password_verify($password, $user_pass);
        if (!$passwordCheck) {
            header("Location: ../login.php?wrong-password");
            exit();
        } elseif ($passwordCheck) {
            // log in the user
            $_SESSION['logged_in'] = true;
            $_SESSION['id'] = $row['ID'];
            $_SESSION['firstname'] = $row['Firstname'];
            $_SESSION['lastname'] = $row['Lastname'];
            $_SESSION['email'] = $row['Email'];
            header("Location: ../dashboard");
            exit();

        }
    }

password_verify = bool(true)

编辑:

if (isset($_POST['submit'])) {

include('DB_Connect.php');

$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);

// error handlers
$sql = "SELECT * FROM users_admin WHERE Email = '$email'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
    header("Location: ../login.php?input:invalid");
    exit();
} else {
    if ($row = mysqli_fetch_assoc($result)) {
        $user_pass = $row['Password'];
        $passwordCheck = password_verify($password, $user_pass);
        if (!$passwordCheck) {
            header("Location: ../login.php?wrong-password");
            exit();
        } elseif ($passwordCheck) {
            // log in the user
            $_SESSION['logged_in'] = true;
            $_SESSION['id'] = $row['ID'];
            $_SESSION['firstname'] = $row['Firstname'];
            $_SESSION['lastname'] = $row['Lastname'];
            $_SESSION['email'] = $row['Email'];
            header("Location: ../dashboard");
            exit();

         }
     }
  }
}else{
    header("Location: ../login.php?login=error");
    exit();
}

解决方案

您发布的代码中没有任何内容会导致描述的问题。

以下是一些提示和改进:

%1。

您正在对密码进行转义/清理,然后再对其进行哈希处理。

这样您就更改了存储的密码

$password = $_POST['password'];

创建帐户时和登录时检查密码是否匹配。

2.

确保数据库中的Password字段(存储哈希密码)最多可以存储255个字符。

来自documentation

建议将结果存储在可以超过60个字符的数据库列中(255个字符将是不错的选择)。

如果字段较窄,则哈希将被截断,您将永远不会有匹配项。

3.

在登录时通过电子邮件获取用户时,请确保Email在数据库级别(在表定义中)是唯一的(只要您的主键ID)。

在用户注册和登录(php级别)时也检查这一点是个好主意。

4.

mysqli_fetch_assoc返回的键值对中的键区分大小写。确保使用与数据库中的字段命名完全相同的键访问这些值。

前在您的代码中,我读到了$row['Email']。表中的字段名称实际上是Email还是可能是email(小写)?

5.

调试代码!

使用调试器或简单地放置断点,如

var_export( $the_variable );
exit();

输入代码的关键点(&Q;)。

6.

使用prepared statements,而不是转义输入并将其直接注入到SQL字符串中。


散列并存储密码:

// Set POST variables
$firstname = mysqli_real_escape_string($conn, $_POST['firstname']);
$lastname = mysqli_real_escape_string($conn, $_POST['lastname']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = $_POST['password'];
$hashedpwd = password_hash($password, PASSWORD_DEFAULT);

// SQL query & Error Handlers
$sql = "INSERT INTO `users_admin` (Firstname, Lastname, Email, Password) VALUES ('$firstname', '$lastname', '$email', '$hashedpwd')";

检索哈希密码:

include('DB_Connect.php');

$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = $_POST['password'];

$sql = "SELECT * FROM users_admin WHERE Email = '$email'";
$result = mysqli_query($conn, $sql);

if( $result === false )
{
    header("Location: ../login.php?login=error");
    exit();
}

$count = mysqli_num_rows($result);
if( $count === 0 )
{
    header("Location: ../login.php?input:invalid");
    exit();
}

$row = mysqli_fetch_assoc( $result );

$passwordHash = $row['Password'];
$passwordCheck = password_verify( $password, $passwordHash );
if( ! $passwordCheck )
{
    header("Location: ../login.php?wrong-password");
    exit();
}

// log in the user
$_SESSION['logged_in'] = true;
$_SESSION['id'] = $row['ID'];
$_SESSION['firstname'] = $row['Firstname'];
$_SESSION['lastname'] = $row['Lastname'];
$_SESSION['email'] = $row['Email'];
header("Location: ../dashboard");
exit();

相关文章