Codeigniter中的密码验证

时间:2018-01-08 10:26:56

标签: php codeigniter validation

大家好,我在codeigniter中验证登录时遇到了这个问题,好像它没有在我的数据库中检查所需的密码。我的数据库中所需的密码是哈希使用这个

$password_hash = password_hash($password, PASSWORD_BCRYPT);

我也在使用这个哈希来测试它的能力和安全性。

我的登录视图中的代码是:

<div class="container">
  <div class="card card-login mx-auto mt-5">
    <div class="card-header">Login</div>
    <div class="card-body">
      <form method = "post" action=<?php echo base_url("Ec_controller/login"); ?> >
        <div class="form-group">
          <label for="Username">Username</label>
          <input class="form-control" id="username" name="username" type="text" aria-describedby="emailHelp" placeholder="Enter Username">
        </div>
        <div class="form-group">
          <label for="Password">Password</label>
          <input class="form-control" id="password" name= "password" type="password" placeholder="Enter Password">
        </div>
        <div class="form-group">
          <div class="form-check">
            <label class="form-check-label">
              <!-- <input class="form-check-input" type="checkbox"> Remember Password</label> -->
          </div>
        </div>        
        <input type="submit" name="submit" id="submit" class="btn btn-primary btn-xm" value="Log In" />
      </form>
      <div class="text-center">
        <!-- <a class="d-block small" href="#">Forgot Password?</a> -->
      </div>
    </div>
  </div>
</div>

在我的控制器上:

public function login(){


    $this->load->library('form_validation');

    $this->form_validation->set_rules('username', 'Username', 'required|trim|callback_validate_credentials');
    $this->form_validation->set_rules('password', 'Password', 'required|trim');

    $username = $this->input->post('username');
    $password = $this->input->post('password');
    $user_id ="";

    if($this->form_validation->run()){

            $data = array(
                'log_username' => $username,
                'is_logged_in' =>1

            );
            $this->session->set_userdata($data);
            $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->get();



            foreach($sql2->result() as $user_level){

                $user_id = $user_level->log_userlevel;

            }
            if($user_id == 1){

                redirect('Ec_controller/view_admin');

            }elseif ($user_id == 2) {

                redirect('Ec_controller/view_it');
            }else{

                redirect("Ec_controller/index");
            }

    }else{

        redirect('Ec_controller/index');
    }


}

public function validate_credentials(){

    $this->load->model('Ec_model');

    if($this->Ec_model->can_log_in()){
        return true;
    }else{
        $this->form_validation->set_message('validate_credentials', '<font color=red>Incorrect username/password</font>');
        return false;
    }
}

和我的模特:

公共职能can_log_in(){

$this->db->where('log_username', $this->input->post('username'));
$this->db->where('log_password', password_verify($this->input->post('password'), PASSWORD_BCRYPT));       
$query = $this->db->get('ec_login');

  if($query->num_rows() == 1)
   {        
     return true;
   }else{
      return false;
   }
}

当我输入用户名时,它会验证所需的用户名,唯一的问题是密码,无论我对密码进行验证并重定向到特定的页面/视图,这听起来都很疯狂。帮助和一点解释会很有帮助。

3 个答案:

答案 0 :(得分:1)

在您的登录功能中,您不会根据数据库中的值检查密码,因此查询只是匹配用户名并忽略密码。您需要将以下内容添加到db查询中:

$password_hash = password_hash($password, PASSWORD_BCRYPT);
...
->where('log_password', $password_hash)

您还应该将此行:$this->session->set_userdata($data);移到查询下方,并将其放在if语句中:

if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}

所以整个事情看起来像:

$ password_hash = password_hash($ password,PASSWORD_BCRYPT);

$sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->where('log_password', $password_hash)
                             ->get();
if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}

答案 1 :(得分:1)

解决了它。

由于没有仔细阅读PHP手册中password_verify()的使用,我非常愚蠢。好吧,我终于明白了。以下是我对“更新后的问题”的回答。

public function login(){


$this->load->library('form_validation');

$this->form_validation->set_rules('username', 'Username', 'required|trim');
$this->form_validation->set_rules('password', 'Password', 'required|trim');

$username = $this->input->post('username');
$password = $this->input->post('password');
$user_id ="";

if($this->form_validation->run()!= true){


        redirect('Ec_controller/index');


}else{



        $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                         ->from("ec_login")
                         ->where("log_username", $username)
                         ->get();



        foreach($sql2->result() as $user_level){

            $user_id = $user_level->log_userlevel;
            $user_password_db = $user_level->log_password;

        }

        $data = array(

            'log_username'  =>$username,
            'log_userlevel' =>$user_id,
            'log_password'  =>$user_password_db,
            'is_logged_in'  =>1

        );
        $this->session->set_userdata($data);


        if(password_verify($password,$user_password_db) && $user_id == 1){

            redirect('Ec_controller/view_admin');


        }elseif (password_verify($password,$user_password_db) && $user_id == 2) {

            redirect('Ec_controller/view_it');
        }else{

            redirect("Ec_controller/index");
        }





}

}

这让我很头疼,但这是值得的,我对结果感到高兴。

答案 2 :(得分:0)

callback in your controller:

public function password_check($str)
{
   if (preg_match('#[0-9]#', $str) && preg_match('#[a-zA-Z]#', $str)) {
     return TRUE;
   }
   return FALSE;
}
Then, update your rule to use it:

$this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]|min_length[8]|alpha_numeric|callback_password_check');