Question

在注册过程中，用户的密码将作为加密的BCRYPT密码保存在数据库中。

我的问题是：为什么我无法使用输入的密码验证加密的数据库密码？

CODE：

<?php                       //POST VARIABLES
                    $submit = $_POST['login_submit'];
                    $username = $_POST['login_username'];
                    $password = $_POST['login_password'];
                    $email = $_POST['login_email'];

require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}

//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);


//ERRS ARRAY DECLARED
$errors = array();

//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}   
?>

我收到错误消息“帐户不存在”＆＃39;即使我输入有效信息。

谢谢， -Eugene

编辑改为：

        <?php                       //POST VARIABLES
                            $submit = $_POST['login_submit'];
                            $username = $_POST['login_username'];
                            $password = $_POST['login_password'];
                            $email = $_POST['login_email'];

    require 'password_config.php';
    if(isset($submit)){
    require 'db/connect.php';
    //PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
    $user_pass = $row['password'];
    $veri_password = password_verify($password, $user_pass);
    }
    if($veri_password === true){
    //CHECKING NUM ROWS
       $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
       $entered_user = mysql_query($sql);
       $num_rows = mysql_num_rows($entered_user);


    //ERRS ARRAY ESTABLISHED
       $errors = array();

    //FURTHER VERIFYING
       if( $num_rows != 1 )
       {
       $errors[] = '-Account does not exist ';
       }
       elseif( $num_rows == 1 )
       {
       session_start();
       while($row = mysql_fetch_array($entered_user)){
       $_SESSION['key'] === true;
       $_SESSION['id'] = $row['id'];
       $_SESSION['email'] = $email;
       $_SESSION['user'] = $row['username'];
       $_SESSION['pass'] = $password;
       header('Location: profile.php');
       exit();
       }
       }
       }
    }   
    ?>

Answer 1

更改为：

$sql = "SELECT id, username FROM users WHERE email='$email'";

同样改变：

$veri_password = password_verify($password, $user_pass);

到

if(!password_verify($password, $user_pass)){
   echo 'invalid password';
   exit;
}

无论如何，你的代码很容易被sql注入。请考虑在查询中使用预准备语句或使用mysql_real_escape_string转义输入字符串。。此外，建议使用mysqli或pdo代替程序方法

MySql Password_verify（）无效？

1 个答案: