继承我的代码: - registered.php - 此文件将新用户的用户名和密码发送到数据库
<?php include "config.php"; ?>
<?php
$username = $_POST['username'];
$email = $_POST['email'];
$mypassword = $_POST['password'];
$defaultrank = "user";
$password=password_hash($mypassword, PASSWORD_BCRYPT);
?>
<?php if(isset($_REQUEST['submit'])) { ?>
<?php
$sql = "INSERT INTO usr (username, password, email, rank)
VALUES ('$username', '$password', '$email', '$defaultrank')";
if ($conn->query($sql) === TRUE) { ?>
<meta http-equiv="refresh" content="0; url=register.php#registrationsuccess" />
<?php }
else{ ?>
<meta http-equiv="refresh" content="0; url=register.php#registrationfailed" />
<?php } ?>
<?php $conn->close(); ?>
<?php } ?>
- redir.php - 这会将登录信息发送到要验证的数据库
<link rel="stylesheet" href="css/font-awesome.min.css">
<?php
session_start();
ob_start();
$host="localhost";
$user="root";
$pass="root";
$db="usr";
$tbl="usr";
mysql_connect("$host", "$user", "$pass")or die("cannot connect");
mysql_select_db("$db")or die("cannot select DB");
include 'registered.php';
$myusername=$_POST['myusername'];
$user = $myusername;
$mypassword=$_POST['mypassword'];
$pass = $mypassword;
// $password=md5($mypassword);
$hashAndSalt = password_hash($password, PASSWORD_BCRYPT);
$savemyusername = $myusername;
$savemypassword = $mypassword;
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl WHERE username='$myusername' and password='password_verify($password, $hashAndSalt)'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
// Sessions //
$_SESSION["pass"] = $pass;
$_SESSION["user"] = $user;
// END //
echo <<<EOF
<meta http-equiv="refresh" content="0; url=membersarea.php" />
EOF;
}
else { ?>
<meta http-equiv="refresh" content="0; url=login.php#loginfailed" />
<?php
}
ob_end_flush();
?>
登录系统可以正常使用md5 来自registered.php的数据也被发送到数据库,它只是验证数据是什么问题
答案 0 :(得分:1)
$sql="SELECT [..snip..] and password='password_verify($password, $hashAndSalt)'";
^^^^^^^^^^^^^^^
你不能在一个字符串中嵌入PHP代码并期望PHP执行它,MySQl也不会为你执行PHP代码,因为MySQL完全不知道PHP是什么。
即使那个php函数调用神奇地以某种方式执行,它也只能返回一个布尔值,因此你的代码(在魔法王国中)可归结为两种可能性:
... password = false
... password = true