在现有密码上使用password_verify

时间:2014-12-15 03:12:33

标签: php database hash mysqli

我正在尝试检查某人的密码和用户名,然后才能登录我的网站。密码都存储在password_hash($password1, PASSWORD_BCRYPT);我不确定我做错了什么。目前,无论我输入什么,它总是说不正确。

<?php
require 'privstuff/dbinfo.php';

$username = $_POST["username"];
$password1 = $_POST["password1"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);

if(mysqli_connect_errno()) {
    echo "Connection Failed. Please send an email to owner@othertxt.com regarding this problem.";
    exit();
}

if ($stmt = $mysqli->prepare("SELECT `username`, `password` FROM `accounts` WHERE username = ? AND password = ?")) {


    $result = mysqli_query($mysqli,"SELECT `password` FROM `accounts` WHERE username = $username");

    $stmt->bind_param("ss", $username, password_verify($password1, $result);
    $stmt->execute();
    $stmt->store_result();
    if ($stmt->num_rows) {
        echo("Success");
    }
    else {
        echo("Incorrect");
    }

}
$mysqli->close(); 

?>

这是register.php 

<?php
require 'privstuff/dbinfo.php';

$firstname = $_POST["firstname"];
$password1 = $_POST["password1"];
$email = $_POST["email"];
$ip = $_SERVER['REMOTE_ADDR'];
$username = $_POST["username"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);


if(mysqli_connect_errno()) {
    echo "Connection Failed. Please send an email to owner@othertxt.com regarding this problem.";
    exit();
}

        if ($stmt = $mysqli->prepare("INSERT INTO `accounts`(`firstname`, `username`, `password`, `email`, `ip`) VALUES (?,?,?,?,?)")) {

            $db_pw = password_hash($password1, PASSWORD_BCRYPT);

            $stmt->bind_param("sssss", $firstname, $username, $db_pw, $email, $ip);
            $stmt->execute();
            if ($stmt->affected_rows > 0) {

                echo "Account successfuly created";
            }
            $stmt->close();
    }
    $stmt->close();

$mysqli->close(); 

?>

2 个答案:

答案 0 :(得分:2)

我解决了这个问题。我错误地使用了password_verify

<?php
require 'privstuff/dbinfo.php';


$username = $_POST["username"];
$password1 = $_POST["password1"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);

// Check connection
if(mysqli_connect_errno()) {
    echo "Connection Failed: " . mysqli_connect_errno();
    exit();
}

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT `password` FROM `accounts` WHERE username = ?")) {

    /* Bind parameters: s - string, b - blob, i - int, etc */
    $stmt -> bind_param("s", $username);

    /* Execute it */
    $stmt -> execute();

    /* Bind results */
    $stmt -> bind_result($result);

    /* Fetch the value */
    $stmt -> fetch();

    /* Close statement */
    $stmt -> close();
}


if(password_verify($password1, $result))
{
    session_start();
    $_SESSION['loggedin'] = true;
    $_SESSION['username'] = $username;

   echo '<script type="text/javascript"> window.open("textbomber.php","_self");</script>';
}else{
    echo '<script type="text/javascript"> alert("Incorrect Username/Password"); window.open("login.html","_self");</script>'; 
}

$mysqli->close(); 
?>

答案 1 :(得分:0)

这个问题应该以不同的方式解决。只进行一次查询并通过给定的用户名获取密码哈希值。然后检查应该在您的代码中完成,而不是在第二个查询中:

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

此函数将返回true或false,具体取决于密码是否与存储的密码哈希匹配。您无法直接在SQL查询中比较密码哈希值,因为每个密码都添加了随机盐。

相关问题
最新问题