我的网页以许多登录页面开头,如果用户没有帐户,则可以注册。我的注册工作,他们输入的用户密码已成功与password_hash进行哈希并发送到数据库。但是,在尝试登录时,password_verify始终返回false。当我最初制作哈希密码时,我想到了一个愚蠢的错误,我回应了我用作password_verify中第二个参数的变量。但是,它与数据库中的哈希完全匹配。可能是什么问题??下面提供了缩短的代码,用于在注册期间创建密码和在登录时检查密码。
创建匆匆密码
<?php
session_start();
require('db_credentials.php');
$inputUsername = $_POST['createUsername'] ? $_POST['createUsername'] : null;
$inputPassword = $_POST['createPassword'] ? $_POST['createPassword'] : null;
$vPassword = $_POST['verifyPassword'] ? $_POST['verifyPassword'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$vPassword = $mysqli->real_escape_string($vPassword);
//create connection
$mysqli = new mysqli($servername, $username, $password, $dbname);
$protectedPassword = password_hash($inputPassword, PASSWORD_DEFAULT);
//Check if the passwords match
if($inputPassword != $vPassword){
echo '<p style = "text-align: center;">Oops!The passwords you input did not match. Please try again.</p>';
session_write_close();
exit;
}
//Check for duplicate username
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = mysqli_query($mysqli, $query);
if(mysqli_num_rows($result) == 1) {
echo '<p style = "text-align: center;">Oops! That Username is already taken. <br>Please try a different one.</p>';
session_write_close();
exit;
}
//Username is not takin and the passwords match
else {
$sql = "INSERT INTO user_info (username, password) VALUES (' ".$inputUsername." ', ' ".$protectedPassword." ')";
echo '<p style = "text-align: center;">Success! You Have Made an Account!</p>';
if($mysqli->query($sql) === TRUE) {
session_write_close();
exit;
}
else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
?>
登录
<?php
require('db_credentials.php');
$inputUsername = $_POST['username'] ? $_POST['username'] : null;
$inputPassword = $_POST['password'] ? $_POST['password'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$mysqli = new mysqli($servername, $username, $password, $dbname);
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = $mysqli->query($query);
//check if username is in database. If it is, do the passwords match?
if($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
echo $row['password'] . "<br>"; //matches hash in database exactly
echo $inputPassword; //matches the password I type in. Which is same I used to sign up.
if(password_verify($inputPassword, $row['password'])){
header("Location: puzzlerMember.php"); //this never happens
exit;
}
}
echo '<p style = "text-align: center;">Oops! Your Username/Password is incorrect. Sign up if you do not have an account.</p>'; //this always happens
exit;
?>
注意:在数据库中,我将密码列设置为VARCHAR(255)。 我看过很多类似的问题,但他们似乎都错误地将数据库中的密码长度误认为太短了。如果他们没有,我尝试了解决方案的最佳答案。我完全不知道出了什么问题。 如果你能提供帮助,我会提前感谢你。
答案 0 :(得分:2)
您正在转发密码,因此会更改密码。不要依赖逃避作为安全措施(这本身就是一种误解),而是使用准备好的陈述。
根据下面的评论,似乎需要澄清:您正在转义密码然后对其进行散列,因此存储在数据库中的内容不是用户通过的内容,因此它永远不会找到用户传递的内容,因此,总是返回false。
相关: Should I mysql_real_escape_string the password entered in the registration form?
更新#1
正如@mario所发现的那样,当您将值传递给它时,您的查询中似乎有空格,它会在您的表中搜索不正确的值。
阅读材料