PHP password_verify()不使用数据库

时间:2015-02-25 21:15:59

标签: php mysql database hash

我正在制作登录和注册系统。系统工作正常,我现在必须为数据库存储的哈希密码添加安全性。但是,当我从数据库中检索散列密码并将其与用户输入的密码输入进行比较时,它无法正常工作。

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost'); 
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    $user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
    $pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
    //$user = $_POST['user'];
    //$pass = $_POST['pass'];
    if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query); //or die(mysqli_error($con));
        $username = $row['userName'];
        $pw = $row['pass'];//hashed password in database
        //check username and password hash
        echo $pw; //THIS PRINTS OUT NOTHING!!!
        if($user==$username && password_verify($pass, $pw)) {
            // $user and $pass are from POST
            // $username and $pw are from the rows

            //$_SESSION['userName'] = $row['pass'];
            echo "Successfully logged in.";
        }

        else { 
            echo "Invalid."; 
        }
    }
    else{
        echo "INVALID LOGIN";
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

所以上面的代码将回显&#34;无效&#34;当我尝试比较输入的文本密码和数据库中的哈希值。 echo $ pw因某种未知原因打印出来。

这是注册php脚本:

<?php
        //Connection Config
        define('DB_HOST','localhost'); 
        define('DB_NAME','test'); //name of database
        define('DB_USER','root'); //mysql user
        define('DB_PASSWORD',''); //mysql password
        $con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
        $db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 
        //Registration
        function Register($con){
            if(isset($_POST['user']) && isset($_POST['pass'])){
                $username = $_POST['user'];
                $email = $_POST['email'];
                $password = $_POST['pass'];

                //Hashing of password
                $hpassword = password_hash($password, PASSWORD_DEFAULT);
                $query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

                if($query){
                    //Query successful
                    echo "User has been created successfully";
                }else{
                    echo "Error1";
                }
            }else{
                echo "Error2";
            }
        }

        if(isset($_POST['submit'])){
            Register($con);
        }
    ?>

我确保该列是varchar(255)并且足够长。 有谁知道验证失败的原因?谢谢!

注意:密码哈希后,我计划添加SQL注入防御。

1 个答案:

答案 0 :(得分:1)

您正在插入哈希密码,这很好。 但是在登录时,您将POST字符串上的字符串与数据库中的散列版本进行比较。从逻辑上讲,它们将不一样。 你应该改变:

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"


SELECT * FROM UserName where userName = '$_POST[user]'

确实你应该在任何地方添加针对SQL注入的保护。最好在每次选择,插入,更新,删除等使用准备好的语句,以及在这些语句中使用的每一个值。

相关问题
最新问题