password_verify不断返回false

时间:2017-12-08 15:46:19

标签: php mysql

好的,所以我已经在我的一个页面上运行了password_hash。

我想知道如何将password_verify应用于以下代码:

function selectUser($ conn,$ username,$ password) {

$query = "SELECT username, password FROM login WHERE password = :password AND username = :username";

$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $password);
$stmt->execute();


if ($row = $stmt->fetch()) {
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    echo "Welcome, you are now logged in as " . $username;
    return true;
}

else {
    //echo "Your details were not found";
    return false;
}

我自己试了一下,这对我来说很困惑。

谢谢

也得到了这个:

if(!isset($_POST["Login"]))
{
    header("Location:new-user.php");
}


$username=trim($_POST['username']);
$password=$_POST['password'];

$username= htmlspecialchars($username);
$validForm = true;

if (empty($_POST["username"]))
            {
            $validForm=false;
            }
if (empty($_POST["password"]))  
            {
            $validForm=false;
            }
if (!$validForm) {

$error = "please ensure all fields are filled in";
include("add.php");
return false;

}           


$conn=getConn();
$successLogin=selectUser($conn,$username,$password);
if($successLogin)
{
       header( "Location: search.php" );
}else{
       $error = "The details you have entered are incorrect";
      include("add.php"); 
}

$conn=NULL; //close the connection

更新

也试过这个:知道这不起作用,用echo语句测试但仍然没有运气

function hash_input() {

$password = "sfafgsd";

return $password = password_hash($_POST['password'], PASSWORD_BCRYPT);
}



function selectUser($conn, $username, $password)
{
    $query = "SELECT password FROM login WHERE username = :username"; 
    $stmt = $conn->prepare($query);
    $stmt->bindValue(':username', $username);
    $stmt->execute();
echo $username . " " . $password;
    if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
    {
        echo "WE MADE IT"; 
        if(password_verify(hash_input($password), $row['password'])){  
            $_SESSION['username'] = $username;
            echo "Welcome, you are now logged in as " . $username; 
            return true;
        }

        //echo "Your details were not found";
        sleep(1); 
        return false; 
    }
    else
    {
        //echo "Your details were not found";
        return false;
    }
}

1 个答案:

答案 0 :(得分:2)

Mark给出的评论完全涵盖以下内容。

活动顺序:

  • 将用户名发送到数据库并从找到的行中收集哈希密码。
  • 运行通过password_verify给出的密码字符串,以与散列值进行比较
  • 返回此结果(true / false)。
  • 庆祝。喝咖啡或茶。

不需要$_SESSION密码数据,这是一个坏主意。密码数据(散列或纯文本)不应保留在此函数调用之外。如果由于某种原因需要使用与此帐户/成员资格/登录相关联的随机数值,则应使用数据库中自己的列中的随机字符串进行设置。

改进的功能代码 

function selectUser($conn, $username, $password)
{
    $query = "SELECT password FROM login WHERE username = :username LIMIT 1"; 
    $stmt = $conn->prepare($query);
    $stmt->bindValue(':username', $username);
 // $stmt->bindValue(':password', $password); NO Don't do this.
    $stmt->execute();

    if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
    {
        if(password_verify($password,$row['password'])){
            $_SESSION['username'] = $username;
   //       $_SESSION['password'] = $password; DO NOT DO THIS
            echo "Welcome, you are now logged in as " . $username; 
            return true;
        }
        //bad password
        //echo "Your details were not found";
        sleep(1); // it can be a good idea to add a forced pause on
                  // password fail to discourage brute force cracking. 
        return false; 
    }
    //echo "Your details were not found";
    return false;
}
相关问题
最新问题