Question

我正在为登录页面编写API，其中密码被加密并存储在数据库中：“$ 2y $ 08 $ NwjkR19Vafs28PuSmVrd6OIpL2ix2hUZn4cFwwJqseUQJZqJIXpia”。如何根据使用sql查询输入的密码验证这一点，下面是我的API代码：

if (isset($postdata)) {

    $request = json_decode($postdata);

    $username = $request->username;
    $password = $request->password;

    if( $username === NULL && $password === NULL) {
        $json = array("status" => 0, "message" => "Please enter username and password");
    }
    else {

        $select_sql = "SELECT `id`, `first_name`, `last_name`, `email`, `phone`, `username`, `password`, `created_on`, `active`, `activation_code` FROM `users` WHERE `email` = '".$username."' AND `password` = '".$password."';";
        $select_query = mysqli_query($con,$select_sql);
        $count = mysqli_num_rows($select_query);
        $fetch_obj = mysqli_fetch_array($select_query,MYSQLI_BOTH);
        if($count>0) {

            $userId = $fetch_obj["id"];
            $userEmail = $fetch_obj["email"];
            $userDisplayName = $fetch_obj["first_name"]." ".$fetch_obj["last_name"];
            $userPhone = $fetch_obj["phone"];
            $userName = $fetch_obj["username"];
            $userPass = $fetch_obj["password"];
            $userCreatedOn = $fetch_obj["created_on"];
            $userActive = $fetch_obj["active"];
            $userActivationCode = $fetch_obj["activation_code"];

            $userDetails = array( "UserID" => "$userId", "UserDisplayName" => "$userDisplayName", "UserEmail" => "$userEmail", "UserPhone" => "$userPhone", "UserName" => "$userName", "UserPassword" => "$userPass", "UserCreatedOn" => "$userCreatedOn","UserActive" => "$userActive", "UserActivationCode" => "$userActivationCode");

            $json = array("status" => 1, "message" => "Login success.", "UserDetails" => $userDetails);
        }
        else {
            $json = array("status" => 0, "message" => "Invalid username or password.", "query" => $select_sql );
        }
    }
}
mysqli_close($con);

我尝试使用以下代码，但无论我在此输入什么密码，它都显示为有效密码，

 <?php

  echo $password = "John@798";
  echo $hash =  password_hash($password, PASSWORD_BCRYPT);
  if (password_verify($password, $hash)) {
  echo 'Password is valid!';
  } else {
  echo 'Invalid password.';
  }
  ?>

有什么办法可以检查输入的密码，然后将用户重定向到主页？请帮帮我，过去2天我一直坚持这个。提前致谢

Answer 1

请在下次更好地格式化您的代码。

此功能

<?php
echo $password = "John@798";
echo $hash = password_hash($password, PASSWORD_BCRYPT);
if (password_verify($password, $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>

始终显示有效密码，因为您根据密码设置了哈希，并使用结果哈希验证密码。如果您希望它返回无效密码，请将其设置为其他内容，例如

echo $password = "Wrong Password";
echo $hash = password_hash("John@798", PASSWORD_BCRYPT);

对于您的第一个代码块，$ password是您存储在数据库中的哈希值，$ userPass是用户在表单中输入的密码，您需要对其进行验证。以下是检查它是否为有效密码的代码。

if (password_verify($userPass, $password)) {
    echo "Correct Password";
} else {
    echo "Invalid Password";
}

如何验证通过API在Mobile App中输入的密码

1 个答案: