基本上我遇到了哈希问题并且验证了密码,我希望有人可以通过证明阅读一些代码来帮助我。
以下是注册(php代码):
include '../includes/connection.php';
$userID = $_POST['userID'];
$userName = $_POST['userName'];
$Pass = $_POST['password'];
$encrypted_password = password_hash($Pass, PASSWORD_DEFAULT);
if(!empty($userName) && !empty($Pass) && !empty($userID)){
$records = "SELECT * FROM Admins WHERE ID='$userID' OR Username='$userName' OR Password='$encrypted_password'";
$results = mysqli_query($connect,$records);
if ($results->num_rows == 1){
$message = "You have already requested an account.";
echo "<script type='text/javascript'>alert('$message');</script>";
}else{
$query = "INSERT INTO Admins (`ID`,`Username`,`Password`,`AdminLevel`) VALUES ('$userID','$userName','$encrypted_password','0')";
$run = mysqli_query($connect,$query);
$message = "Your request has been submitted.";
echo "<script type='text/javascript'>alert('$message');</script>";
}
}
以下是登录(php代码)
if(!empty($userName) && !empty($Pass)){
$sql = "SELECT * FROM Admins WHERE Username='$userName'";
$sqlr = mysqli_query($connect,$sql);
$sqlrow = $sqlr->fetch_assoc();
$dbPass = $sqlrow['Password'];
$hash = password_verify($Pass, $dbPass);
if ($hash == 0){
die("There was no password found matching what you have entered.");
}else{
$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";
$results = mysqli_query($connect,$records);
if ($results->num_rows == 1){
$row = $results->fetch_assoc();
$_SESSION['user_id'] = $row['ID'];
$_SESSION['admin_level'] = $row['AdminLevel'];
$_SESSION['user_name'] = $row['Username'];
$easyName = $_SESSION['user_name'];
$recordsS = "UPDATE `Admins` SET Status='1' WHERE Username='$userName'";
$resultsS = mysqli_query($connect,$recordsS);
header("Location: index.php");
}else{
die("Sorry... you have entered incorrect login information.");
}
}
}
这是数据库标题:https://gyazo.com/69380c5cd0df0259d31799b71f33ce47
当我在网站上测试这个并且我使用正确的信息登录时,&#34;抱歉...您输入了错误的登录信息。&#34;是的回应。
如果我使用虚假信息登录,&#34;找不到与您输入的内容相匹配的密码。&#34;是的回应。
为什么它可以检测到密码,但没有正确执行登录部分中的else语句?
答案 0 :(得分:5)
您的$records查询失败,因为您选择Password='$hash'"其中$hash为true或false。查询应具有以下条件:Password='$dbPass'"
正如肠道检查:重要的是要注意的是数据库中的密码字段应该是巨大的。 password_hash()可以生成一些非常冗长的文本( 当前默认值为60个字符 ),因此将字段设置得更大将允许所需的长度。其次,PHP团队正在为该方法添加更多算法,这意味着哈希可以并且将会增长。我们也不想限制用户使用他们选择的密码或密码的能力。最好为变化留出空间。
还有一件事:Little Bobby说 your script is at risk for SQL Injection Attacks. 了解prepared的MySQLi语句。即使escaping the string也不安全! Don't believe it?
答案 1 :(得分:0)
您在查询中遇到一个小错误:
$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";
您错误地将密码与布尔值匹配。它应该是:
$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$dbPass'";
您需要为此匹配哈希$ Pass变量。函数password_verify在进行匹配后返回一个布尔值,但实际的哈希是在方法内部完成的。