我正在为网站创建登录表单。在我尝试将安全性与内置在password_hash()和password_verify()函数中的PHP相结合之前,验证工作正常。我使用bcrypt算法对所述函数进行加密。
问题是,当在登录表单中输入正确的用户名和密码时,password_verify将返回false,因此验证失败,从而阻止登录。我已经做了大量的搜索,但没有找到任何解决方案。以下代码(admin_login.php)管理登录表单并处理登录。
我包含我的代码以及我的MySQL' login'结构的屏幕截图。 phpmyadmin控制面板中的表。
提前致谢。
(新的我不会让代表发布图片所以这里是一个gyazo链接:http://gyazo.com/a423e5ba38fe5200a8198b47a66fe75a)
<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if (isset($_SESSION['id']) && $_SESSION['admin'] == 1) {
$userID = $_SESSION['id'];
$username = $_SESSION['username'];
header('Location:admin_panel.php');
}
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
// VALIDATES LOGIN CREDENTIALS //
/* $verify = password_verify('123', $trimmed);
var_dump($password);
var_dump($dbPassword);
var_dump($verify); */
// checks if user is valid in database and admin
if ($username == $dbUsername AND $verify && $admin = 1) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
?>
<?php
$pageTitle = "Casa Mirador | Admin";
include_once('inc/header.php');
?>
<h2 style="text-align: center;">Admin Login</h2>
<div class="login_section_one">
<div class="wrapper">
<!-------- ADMIN LOGIN FORM ---------->
<form method="POST" action="admin_login.php" id="admin_form">
<table class="form_login">
<tr>
<th>
<label for = "username"> Username </label>
</th>
<td>
<input type="text" name="username" id="username">
</td>
</tr>
<tr>
<th>
<label for = "password"> Password </label>
</th>
<td>
<input type="password" name="password" id="password">
</td>
</tr>
</table>
<input type="submit" id="submit" name="submit" value="Login">
</form>
</div>
<?php
include_once('inc/footer.php');
?>
答案 0 :(得分:1)
这应该有用。
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
$verify = password_verify($_POST['password'], $dbPassword); // This should work
if ( $verify ) { // You don't need to check username and is admin, because this is done in the query to the database.
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
答案 1 :(得分:0)
在这段代码中,snipped没有定义$verify变量,它被注释掉了,所以这个条件语句转到'else'部分。
此外$dbUsername始终等于$username,因为它位于$sql的WHERE子句中 - 因此您无需再次检查。
另一件事:你省略了一个=字符 - 更改
if ($username == $dbUsername AND $verify && $admin = 1) {
到
if ($username == $dbUsername AND $verify && $admin == 1) {
您已将1分配给$admin,而不是检查$ admin == 1