无法让php password_verify()工作

时间:2016-04-06 13:17:19

标签: php postgresql login-script password-hash

我正在使用php 7和postgres,而且我没有把这个密码哈希的事情搞砸了。

这是我的用户注册。它输出的密码类似于“$ 2y $ 10 $ 1GWNRZokmwGR1 / dxnMRiOuw4 / dNh2IzH9O2QvIu5wjlLAX2OZRW5G”这似乎有效:

<?php
include 'core/init.php';

if (empty($_POST) === false) {
    $required_fields = array('username', 'password', 'confirm_password', 'first_name', 'last_name', 'email_address', 'phone',
        'department', 'group_role');
    foreach ($_POST as $key => $value) {
        if (empty($value) && in_array($key, $required_fields) === true) {
            $errors[] = 'Fields marked with asterisk are required';
            break 1;
        }
    }
}

if (empty($errors) === true) {
    if (user_exists($_POST['username']) === true) {
        $errors[] = 'Sorry, the username \'' . $_POST['username'] . '\' is already taken';
    }
    if (preg_match("/\\s/", $_POST['username']) == true) {
        $errors[] = 'Your useranme must not contain any spaces';
    }
    if (strlen($_POST['password']) < 14) {
        $errors[] = 'Your password must be at least 14 characters';
    }
    if ($_POST['password'] !== $_POST['confirm_password']) {
        $errors[] = 'You passwords do not match';
    }
    if (filter_var($_POST['email_address'], FILTER_VALIDATE_EMAIL) === false) {
        $errors[] = 'A valid email address is required';
    }
    if (email_exists($_POST['email_address']) === true) {
        $errors[] = 'Sorry, this email \'' . $_POST['email_address'] . '\' is already registered';
    }
}

if (isset($_GET['success']) && empty($_GET['success'])) {
    include 'include/iHead.php';
    include 'include/widgets/login.php';
    include 'include/widgets/login_report.php';
    if (empty($errors) === false) {
        ?>
        <h3>Registration Successful! You will receive an email once your registration is approved. </h3>
        <?php
        include 'include/widgets/login_rpt.php';
    }
} else {
    if (empty($_POST) === false && empty($errors) === true) {
        $user_req = $_POST['username'];
        $password = $_POST['password'];
        $hashedPassword = password_hash($password, PASSWORD_DEFAULT)."\n";
        $register_data = array(
            'username' => $_POST['username'],
            'password' => $hashedPassword,
            'first_name' => $_POST['first_name'],
            'last_name' => $_POST['last_name'],
            'email_address' => $_POST['email_address'],
            'phone' => $_POST['phone'],
            'department' => $_POST['department'],
            'region' => $_POST['region'],
            'group_role' => $_POST['group_role'],
            'active' => 0
        );
        register_user($register_data);
        header('Location: register.php?success');
        exit();
    } else if (empty($errors) === false) {
        include 'include/iHead.php';
        include 'include/widgets/login.php';
        include 'include/widgets/login_report.php';
        if (empty($errors) === false) {
            ?>
            <h3>Registration unsuccessful: </h3>
            <?php
            echo output_errors($errors);
            include 'include/widgets/login_rpt.php';
        }
    }
}
function email_exists($email) {
    $email = sanitize($email);
//    echo "SELECT COUNT (userid) FROM user_profiles WHERE email_address = '$email'";
    return (pg_fetch_result(pg_query("SELECT COUNT (userid) FROM user_profiles WHERE email_address = '$email'"), 0) == 1) ? true : false;
}
?>

这是我的登录脚本:

<?php
include 'core/init.php';

if (empty($_POST) === false) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    if (empty($username) === true || empty($password) === true) {
        $errors[] = 'Please enter a username and password';
    } else if (user_exists($username) === false) {
        $errors[] = 'Username not found.  Please register.';
    } else if (user_active($username) === false) {
        $errors[] = 'Account not active';
    } else {

        if (strlen($password) > 32) {
            $errors[] = 'Password too long';
        }

        $hash = login($username, $password);
        if (password_verify($password, "$hash")) {
            $_SESSION['userid'] = $login;
            header('Location: main.php');
            exit;
        } else {
            $errors[] = " Username & Password are incorrect";
        }
    }
} else {
    header('Location: index.php');
}
include 'include/iHead.php';
include 'include/widgets/login.php';
include 'include/widgets/login_report.php';
if (empty($errors) === false) {
    ?>
    <h3>login unsuccessful: </h3>
    <?php
    echo output_errors($errors);
    include 'include/widgets/login_rpt.php';
    include 'include/eFoot.php';
}
function login($username, $password) {
    $user_id = get_id($username);
    $username = sanitize($username);
//    $hash = password_hash($password, PASSWORD_DEFAULT);
    $row = pg_fetch_assoc(pg_query("SELECT password FROM user_profiles WHERE username = '$username'"));
    $hash = $row['password'];
    return $hash;
}
?>

我是php的新手,所以任何帮助都会很出色!

1 个答案:

答案 0 :(得分:0)

好的,谢谢你的回答,但没有一个是正确的。我必须在哈希和验证函数之前使用pg_escape_string。简单,简单,简单....

相关问题
最新问题