使用password_verify时,任何密码都足够了,为什么?

时间:2015-12-27 21:06:24

标签: php passwords verify

已经阅读了我能找到的与此相关的所有问题,但仍无法找到有用的答案(对我有帮助)。

我的问题是我在使用password_verify时可以使用任何密码登录。

login_process.php 

include_once("db.php"); 

if(!empty($_POST['login'])) { 
        // Escape variables
        $input_username = mysqli_real_escape_string($connectdb, $_POST['username']);
        $input_password = mysqli_real_escape_string($connectdb, $_POST['password']);

//Query to find username
            $query = "SELECT id, username, password, email FROM usersdt091g WHERE username = '$input_username'";
            $query2 = "SELECT password FROM usersdt091g WHERE username = '$input_username'";
            $res = mysqli_query($connectdb, $query2);
            $dbpass = mysqli_fetch_assoc($res);
            $hash = $dbpass[0]['password'];
            $result = mysqli_query($connectdb, $query);
            $row = mysqli_fetch_assoc($result);

        // Login ok = false, then render it true if conditions met
        $login_ok = false; 

        if(password_verify($input_password, $hash)) 
        { 
                // If they do, then we flip this to true 
                $login_ok = true; 
        } 

        // If login ok
        if($login_ok = true) 
        {
            // Session variables
            $_SESSION['user'] = $row;

            // Redirect user to secret page. 
            header('Location: blahalblal'); 
            exit; 
        } else {
            // Tell the user they failed
            $errors[] = "<p>Login Failed MISERABLY!</p>"; 
        }
    }
?>

Image of Database table

我的注册流程如下所示。 signup.php 

<?php 
   include_once("db.php"); 

    if(isset($_POST['signup']))
{
 $username = mysqli_real_escape_string($connectdb, $_POST['username']);
 $email = mysqli_real_escape_string($connectdb, $_POST['email']);
 $password = mysqli_real_escape_string($connectdb, $_POST['password']);
 $hash = password_hash($password, PASSWORD_DEFAULT);

 if(mysqli_query($connectdb, "INSERT INTO usersdt091g (username, email, password) VALUES ('$username','$email','$hash')"))
 { 
     $successs[] = "<p>Great Success, please login!</p>";
 }
}
?>

我可以使用所有和任何帮助,

埃里克

2 个答案:

答案 0 :(得分:0)

这将始终为真:

if($login_ok = true)

因为赋值布尔值的结果是布尔值本身。您可能想要比较值而不是 assign 它:

if($login_ok == true)

答案 1 :(得分:0)

这是我发现的作品,感谢David我将整个比较运算符排除在外。我还删除了不必要的查询。为了从数据库中获取用户名和用户密码以匹配输入,我必须确保它们匹配。有时盯着自己瞎了但是,在$login_ok == true之前匹配用户名和用户密码。 

<?php 
   include_once("db.php"); 

if(!empty($_POST['login'])) { 
        // Escape variables
        $input_username = mysqli_real_escape_string($connectdb, $_POST['username']);
        $input_password = mysqli_real_escape_string($connectdb, $_POST['password']);
        //Query to find username
        $query = "SELECT id, username, password, email FROM users WHERE username = '$input_username'";
        $result = mysqli_query($connectdb, $query);
        $row = mysqli_fetch_assoc($result);
        $userid = $row['username'];
        $hash = $row['password'];
        //var_dump($dbpassword[0]);
        // Login ok = false, then render it true if conditions met
        $login_ok = false; 

        if(password_verify($input_password, $hash) && $userid === $input_username) 
        { 
                // If they do, then we flip this to true 
                $login_ok = true; 
        } 

        // If login ok
        if($login_ok == true) 
        {
            // Session variables
            $_SESSION['user'] = $row;

            // Redirect user to secret page. 
            header('Location: portfolio_admin.php'); 
            exit; 
        } else {
            // Tell the user they failed
            $errors[] = "<p>Login Failed MISERABLY!</p>"; 
        }
    }
?>
相关问题
最新问题