Stack Overflow。
我正在尝试为我的网站创建一个登录系统,使用PHP的password_*函数进行密码哈希/验证,但即使输入正确的密码,password_verify()也会返回false。
基本流程是: - 在signup.php中使用哈希密码(使用预设盐进行测试)
我知道这是非常不安全的(一旦它起作用我会收紧它),但这是我的测试代码。
哈希:( signup.php)
<?php
// include my custom MySQL function (it definitely works fine)
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL(); // custom function, returns mysqli object for my DB
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("UPDATE `users` SET `password` = ? WHERE `username` = ?");
$hashed = password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"));
echo "<pre>".$password." Hashed: <pre>".$hashed."</pre><br><br>";
$sql->bind_param('ss', $hashed, $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
} else {
echo "Successfully executed SQL";
}
else: ?>
<form method="GET" action="signup.php"><!--HORRENDOUSLY INSECURE-->
Username: <input type="text" name="username"><br>
New Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
验证:(login.php)
<?php
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL();
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("SELECT * FROM `users` WHERE `username` = ?");
$sql->bind_param('s', $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
}
$result = $sql->get_result();
$udata = array();
while ($data = $result->fetch_assoc()) {
var_dump($data);echo "<br><br>";
$udata[] = $data;
}
echo "<pre>";
var_dump($udata);
echo "</pre>";
echo "Password verify says <pre>";var_dump(password_verify($password, $udata['password']));
echo "</pre><br>PW: <pre>".$password."</pre> / Hash: <pre>".$udata[0]['password']."</pre><br>";
echo "Entered password:";var_dump($password);echo "<br>";
echo "Hash SHOULD be:";var_dump(password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"))); echo "<br>";
if(password_verify($password, $udata[0]['password'])):
echo "you are who you say you are";
else:
echo "wrong password, <a href='?'>try again</a>";
echo "Password algo info:";var_dump(password_get_info($udata[0]['password']));echo "<br>";
endif;
else: ?>
<form method="GET" action="login.php"><!--INSECURE, USE POST AFTER TESTING-->
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
哈希肯定存储在数据库中,并且肯定被检索得很好,只是password_verify()没有任何一个。
我真的很感激这里的一些帮助。 :)
感谢。
答案 0 :(得分:1)
代码中的几个发现问题的列表:
使用$_REQUEST_['password']代替$_REQUEST['password']。
使用$udata['password']代替$udata[0]['password'](仅与调试相关)。
根据评论,主要问题是(我认为)生成哈希的第一项。