我的登录表单如下:
<form class="form-signin" method="post" id="login-form">
<div id="img_container" class="imgcontainer">
<img src="../images/img_avatar2.png" alt="Avatar" class="avatar">
</div>
<?php
if(isset($msg)){
echo $msg;
}
?>
<div id="container" class="container">
<label><b>Navn</b></label>
<input type="text" placeholder="Enter E-mail" name="email" required>
<label><b>Password</b></label>
<input type="password" placeholder="Enter Password" name="psw" required>
<button type="submit" name="btn-login" id="btn-login">Login!</button>
<input type="checkbox" checked="checked"> Rember me
<span class="psw"><a href="#">Forgot your passowrd?</a></span>
</div>
</form>
我与数据库的连接如下所示:
<?php
session_start();
require_once '../db/dbconnect.php';
if (isset($_POST['btn-login'])) {
$email = strip_tags($_POST['email']);
$password = strip_tags($_POST['psw']);
$email = $DBcon->real_escape_string($email);
$password = $DBcon->real_escape_string($password);
$query = $DBcon->query("SELECT user_id, email, psw FROM Users WHERE email='$email'");
$row=$query->fetch_array();
$count = $query->num_rows; // if email/password are correct returns must be 1 row
if (password_verify($password, $row['psw']) && $count==1) {
$_SESSION['userSession'] = $row['user_id'];
header("Location: student.php");
} else {
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> Invalid E-mail or Password !
</div>";
}
$DBcon->close();
}
?>
我与数据库的连接很好,但错误“无效的电子邮件或密码!”不断出现,但我已经测试了输入是正确的数据。
是因为我在数据库中的密码是否已经哈希?或者我只是犯了一个愚蠢的错误?
编辑1:
这是我在用户创建时散列密码之前所做的事情。 我这样工作正常,我在制作用户时没有任何错误,它在登录时出现错误
$uname = strip_tags($_POST['uname']);
$upass = strip_tags($_POST['psw']);
$phone = strip_tags($_POST['mobil']);
$email = strip_tags($_POST['email']);
$lat = strip_tags($_POST['lat']);
$long = strip_tags($_POST['long']);
$role = strip_tags($_POST['role']);
$uname = $DBcon->real_escape_string($uname);
$upass = $DBcon->real_escape_string($upass);
$phone = $DBcon->real_escape_string($phone);
$email = $DBcon->real_escape_string($email);
$lat = $DBcon->real_escape_string($lat);
$long = $DBcon->real_escape_string($long);
$role = $DBcon->real_escape_string($role);
答案 0 :(得分:1)
来自Proper Password Preparation with PHP
password_hash()函数可以生成一些非常冗长的文本( 当前默认值为60个字符 ),因此现在使字段尽可能大为了所需的长度。其次,PHP团队正在为该方法添加更多算法,这意味着哈希可以并且将会增长。我们也不想限制用户使用他们选择的密码或密码的能力。最好为变化留出空间。
此外:确保您 don't escape passwords 或在散列之前使用其他任何清理机制。这样做更改密码并导致不必要的额外编码。
答案 1 :(得分:0)
请查看以下代码。
session_start();
require_once '../db/dbconnect.php'; //Am assuming u are using PDO
if (isset($_POST['btn-login'])) {
$email = strip_tags($_POST['email']);
$password = $_POST['password'];
$query = "SELECT user_id, email, psw, FROM Users WHERE email = :email";
$queryStat = $DBcon->prepare($query);
$queryStat->execute(['email'=>$email]);
$row = $queryStat->fetch(PDO::FETCH_ASSOC);
$encryptedPassword = $row['psw'];
if (password_verify($password, $encryptedPassword)) { //No need for row count
$_SESSION['userSession'] = $row['user_id'];
header('Location: student.php');
}else{
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> Invalid E-mail or Password !
</div>";
}
}