验证并创建哈希密码错误,我可以使用哈希密码创建一个帐户,但是,我无法验证它?

时间:2016-12-20 18:24:17

标签: php 

<?php
require "Common.php";
$player_username = $_POST ["usernamePost"];
$player_password = $_POST ["passwordPost"];
$hashed_password = password_hash($player_password, PASSWORD_DEFAULT);

$conn = new mysqli ($server_host, $server_username, $server_password, $server_dbName);
    $queryCode = "SELECT * FROM users WHERE Username = '$player_username'";
    $query = mysqli_query ($conn, $queryCode);
    if (mysqli_num_rows($query) > 0) {
        echo "Username already exists.";
    } else {
        $sql = "INSERT INTO users (Username, Password)
        VALUES ('".$player_username."','".$hashed_password."')";
        $result = mysqli_query ($conn,$sql);
        echo "User created.";
    }
?>

第二段代码:

[
    {
        path: 'search', component: SearchComponent, children:
        [
            {
                path: 'view/:id', component: ViewSearchComponent, children:
                [
                    { path: 'person/:id', component: PersonComponent }
                ]
            },
        ]
    }
]

我可以使用哈希密码创建一个帐户,但是,我无法使用它进行登录。我在本网站上查看了有关我的问题的每个帖子。不管是我在看错了帖子还是我根本不明白他们在做什么。

1 个答案:

答案 0 :(得分:4)

您无法验证散列密码,因为您选择的密码为空密码的用户:

$result = mysqli_query ($conn, "SELECT * FROM users WHERE Username ='$player_username' and Password = ''");

从查询中删除密码测试:

<?php
require "Common.php";
$player_username = $_POST ["usernamePost"];
$player_password = $_POST ["passwordPost"];
$hashed_password = password_hash($player_password, PASSWORD_DEFAULT);

$conn = new mysqli ($server_host, $server_username, $server_password, $server_dbName);

$result = mysqli_query ($conn, "SELECT * FROM users WHERE Username ='$player_username'");
$count = mysqli_num_rows($result);

if ($count == 1) {
    $row = mysqli_fetch_assoc ($result);
    if (password_verify($player_password, $row['hashed_password'])) {
        echo "Signing in...<br>";
        echo "ID:".$row ['ID'] . "|Username:".$row ['Username'] . "|Score:".$row ['Score'] . "|Status:".$row ['Status'];
    }
}  else {
    echo "Incorrect username or password.";
}

由于您只返回一行,因此代码太多。不需要while循环,您必须测试存储在数据库$row['hashed_password']中的密码。

另外:

Little Bobby your script is at risk for SQL Injection Attacks. 了解preparedMySQLi语句。即使escaping the string也不安全! Don't believe it?

编辑:以下是使用预准备语句和正确错误检查的示例:

require "Common.php";
$player_username = $_POST ["usernamePost"];
$player_password = $_POST ["passwordPost"];

$conn = new mysqli($server_host, $server_username, $server_password, $server_dbName);

/* check connection */
if (mysqli_connect_errno()) {
    echo "Connect failed: ", mysqli_connect_error());
    exit();
}

 $stmt = $conn->prepare("SELECT * FROM users WHERE Username =?"); // prepare with a placeholder for the variable
 $stmt->bind_param('s', $player_username); // bind the variable
 $stmt->execute(); // execute the query
 $row = $stmt->fetch_assoc(); // get the associative array
 if (password_verify($player_password, $row['hashed_password'])) {
     echo "Signing in...<br>";
     echo "ID:".$row ['ID'] . "|Username:".$row ['Username'] . "|Score:".$row ['Score'] . "|Status:".$row ['Status'];
 } else {
    echo "Incorrect username or password.";
}

请记住,有两种方法可用于编写和执行预准备语句。使用您最熟悉的方法。

来自Proper Password Preparation with PHP

  

password_hash()可以生成一些非常冗长的文本(当前默认值为60个字符),因此现在增大字段将允许所需的长度。其次,PHP团队正在为该方法添加更多算法,这意味着哈希可以并且将会增长。我们也不想限制用户使用他们选择的密码或密码的能力。最好为变化留出空间。

将数据库中的密码字段设置为较大,例如

`password` text DEFAULT NULL
相关问题
最新问题