使用密码哈希注册/登录然后密码验证

时间:2018-05-03 01:40:28

标签: php mysql login phpmyadmin password-hash

我正在为我正在创建的页面创建一个PHP函数,我在其中注册用户并在名为users的MYSql数据库中散列其密码。注册部分工作正常,我看到正在创建用户和他们的密码被哈希,但当我尝试使用Login.php并使用我保存的相同密码时,它不起作用。这是我在我的function.php中输入的代码:

// REGISTER USER
if (isset($_POST['reg_user'])) {
    // receive all input values from the form
    $username = esc($_POST['username']);
    $password_1 = esc($_POST['password_1']);
    $password_2 = esc($_POST['password_2']);

    // form validation: ensure that the form is correctly filled
    if (empty($username)) {  array_push($errors, "Uhmm...We gonna need your username"); }

    if (empty($password_1)) { array_push($errors, "uh-oh you forgot the password"); }
    if ($password_1 != $password_2) { array_push($errors, "The two passwords do not match");}

    // Ensure that no user is registered twice.
    // the email and usernames should be unique
    $user_check_query = "SELECT * FROM users WHERE username='$username' LIMIT 1";

    $result = mysqli_query($conn, $user_check_query);
    $user = mysqli_fetch_assoc($result);

    if ($user) { // if user exists
        if ($user['username'] === $username) {
            array_push($errors, "Username already exists");
        }
    }

    // register user if there are no errors in the form
    if (count($errors) == 0) {
        $password =  password_hash($password_1, PASSWORD_DEFAULT);//encrypt the password before saving in the database
        $user_dir = $_POST['username'];
        $query = "INSERT INTO users (username, password, user_dir, status, admin)
                      VALUES('$username', '$password', '$user_dir', 'OPEN', 'N')";
        mysqli_query($conn, $query);

        // get id of created user
        $reg_user_id = mysqli_insert_id($conn);

        // put logged in user into session array
        $_SESSION['user'] = getUserById($reg_user_id);

        // if user is admin, redirect to admin area
        if ( in_array($_SESSION['user']['admin'], ["Y", "N"])) {
            $_SESSION['message'] = "You are now logged in";
            // redirect to admin area
            header('location: ' . BASE_URL . 'admin/dashboard.php');
           // exit(0);
        } else {
            $_SESSION['message'] = "You are now logged in";
            // redirect to public area
          //  header('location: index.php');
            exit(0);
        }
    }
}

这很好用,不起作用的部分是我的login.php的登录功能:

// LOG USER IN
if (isset($_POST['login_btn'])) {
    $username = esc($_POST['username']);
    $password = esc($_POST['password']);

    if (empty($username)) { array_push($errors, "Username required"); }
    if (empty($password)) { array_push($errors, "Password required"); }
    if (empty($errors)) {


 Here is the problem--> $password =  password_hash($password, PASSWORD_DEFAULT); // encrypt password

        $sql = "SELECT * FROM users WHERE username='$username' and password='$password' LIMIT 1";

        $result = mysqli_query($conn, $sql);
        if (mysqli_num_rows($result) > 0) {
            // get id of created user
            $reg_user_id = mysqli_fetch_assoc($result)['id'];

            // put logged in user into session array
            $_SESSION['user'] = getUserById($reg_user_id);

            // if user is admin, redirect to admin area
            if ( in_array($_SESSION['user']['admin'], ["Y", "N"])) {
                $_SESSION['message'] = "You are now logged in";
                // redirect to admin area
              //  header('location: ' . BASE_URL . '/admin/dashboard.php');
                exit(0);
            } else {
                $_SESSION['message'] = "You are now logged in";
                // redirect to public area
              //  header('location: index.php');
                exit(0);
            }
        } else {
            array_push($errors, 'Wrong credentials');
        }
    }
}

我认为我的问题绝对是这样的:

 $password =  password_hash($password, PASSWORD_DEFAULT); // encrypt password

我尝试用它取代的是

$password = password_verify($password, mysqli_num_rows($result);

没有任何反应但是我知道password_verify函数的2部分与$ password匹配,它在表中我假设是行(因此尝试使用num_rows)。

非常感谢任何帮助。

2 个答案:

答案 0 :(得分:1)

添加了password_verify()来验证登录,而不仅仅是sql

更新代码:

<?php

if (isset($_POST['login_btn'])) {
    $username = esc($_POST['username']);
    $password = esc($_POST['password']);

    if (empty($username)) { array_push($errors, "Username required"); }
    if (empty($password)) { array_push($errors, "Password required"); }
    if (empty($errors)) {


        $sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";

        $result = mysqli_query($conn, $sql);
        $row = mysqli_fetch_assoc($result);

        if (password_verify($password, $row['password'])) {
            // get id of created user
            $reg_user_id = $row['id'];

            // put logged in user into session array
            $_SESSION['user'] = getUserById($reg_user_id);

            // if user is admin, redirect to admin area
            if ( in_array($_SESSION['user']['admin'], ["Y", "N"])) {
                $_SESSION['message'] = "You are now logged in";
                // redirect to admin area
              //  header('location: ' . BASE_URL . '/admin/dashboard.php');
                exit(0);
            } else {
                $_SESSION['message'] = "You are now logged in";
                // redirect to public area
              //  header('location: index.php');
                exit(0);
            }
        } else {
            array_push($errors, 'Wrong credentials');
        }
    }
}

?>

答案 1 :(得分:0)

首先,我检查整个哈希是否正确存储在MySQL中。关于password_hash()的官方文档建议varchar(255)。在大多数情况下,如果您尝试INSERT大于列大小的哈希字符串,MySQL不会抱怨。它只会执行静默截断并继续INSERT

如果正确插入了密码哈希,则原始代码包含SQL查询:

SELECT * FROM users WHERE username='$username' and password='$password' LIMIT 1

应该有用。