Trouble in verifying hash password with the password user entered

时间:2017-08-05 12:28:10

标签: php

i am trying to verify hash password stored in database with the password user enters to login. But i am unsuccessful with it. I am using password_verify to compare the passwords but its not giving the answer true even if i am entering correct password. Please help me!!

       <?php
       print_r($_POST);
       include('connect.php');
       var_dump($_POST);
       print_r($_POST);
       $tbl_name = 'userC';


      if(isset($_POST["USERNAME"]) && isset($_POST["USER_PASSWORD"]))
       {
          $username1 = $_POST["USERNAME"]; 
          $password1 = $_POST["USER_PASSWORD"];
       }

     // To protect MySQL injection
       $username1 = stripslashes($username1);
       $password1 = stripslashes($password1);



       $stid = oci_parse($conn, "SELECT * FROM $tbl_name where 
       user_name='$username1'");
       $result = oci_execute($stid);
      //$re = oci_fetch_all($stid,$abc);

       while(($row = oci_fetch_array($stid,OCI_BOTH)) != false )
        {
         $password = $row[6];
         $username = $row[2];
          $re = 1;
         }
        if(isset($password))
      {
         if (password_verify($password1, $password))
        {
           $re1=1;
         }
       else
          {
           $re1 =  0;
           }  
           }
        else
           {
             $re1 = 0;
             }

   // If result matched $username and $password, table row must be 1 row
        if($re >= 1 && $re1 >= 1)
        {
   // Register $username, $password and redirect to file "login_success.php"
      session_start();
        $_SESSION["username"] = $username;
      header("location:form.php");
    }
       if($re < 1) {
             $failed = 1;
              header("location:login.php?msg=failed");
        }
         if($re1 < 1) {
            $failed = 1;
           header("location:verify.php?msg1=failed");
        }

          ?>

1 个答案:

答案 0 :(得分:1)

从代码中删除$password1 = stripslashes($password1);。在将输入的密码传递给password_verify(或同一事件password_hash)之前,您不应以任何方式修改输入的密码。

顺便说一下,stripslashes 不会保护您免受SQL注入攻击。使用准备好的陈述和oci_bind_by_name代替:

$stid = oci_parse($conn, "SELECT * FROM $tbl_name where user_name=:uname");
oci_bind_by_name($stid, ":uname", $username1);
$result = oci_execute($stid);