我做了一个简单的登录系统。每当使用 password_hash()算法对用户登录密码进行哈希处理并将其发送到数据库时。但是登录页面通过散列处理将输入密码与数据库哈希密码不匹配。
例如:
用户名= john&密码= doe
在上面的示例中,“ doe”被散列并发送到数据库和登录页面 不使用密码“ doe”登录用户,用户可以直接使用哈希密码登录。
我的代码如下所示:
signup.php
<?php
date_default_timezone_set('Asia/Kathmandu');
$time = date("h:i:s");
$date = date("Y-d-m");
$con = mysqli_connect("localhost", "root", "", "classic") or DIE("Error!");
if(isset($_POST['submit'])){
$fname=mysqli_real_escape_string($con, $_POST['fname']);
$lname=mysqli_real_escape_string($con,$_POST['lname']);
$uname=mysqli_real_escape_string($con,$_POST['uname']);
$psw=mysqli_real_escape_string($con,$_POST['psw']);
$email=mysqli_real_escape_string($con,$_POST['email']);
$dob=mysqli_real_escape_string($con,$_POST['dob']);
$pswhash = password_hash("$psw", PASSWORD_DEFAULT);
$unique_email = "SELECT * FROM `users` where email='$email'";
$unique_emailresult = mysqli_query($con, $unique_email);
if(mysqli_num_rows($unique_emailresult)>0)
{
echo "Email already exist, try different Email.";
header("refresh:2; url=http:../signup");
}
else{
$unique_user = "SELECT * FROM `users` where username='$uname'";
$unique_userresult = mysqli_query($con, $unique_user);
if(mysqli_num_rows($unique_userresult)>0)
{
echo "Username already exist, try different username.";
header("refresh:2; url=http:../signup");
}
else{
$sql= "INSERT INTO users (firstname, lastname, username, password, email, dob, joindate, jointime) VALUES ('$fname','$lname','$uname','$pswhash','$email', '$dob', '$date', '$time')";
$result=mysqli_query($con, $sql);
if(!$result)
{
die("Error:");
}
echo"New account created successfully, Please Login.";
header("refresh:2; url=http:../login.php");
}
}
}
else{
header("refresh:0; url=http:../login.php");
}
?>
login.php
<?php
session_start();
if(isset($_SESSION['user'])){
header("location:index.php");
}
include_once('Db/dbconnect.php');
#user verification starts
if(isset($_POST['login'])){
$uname = mysqli_real_escape_string($con, $_POST['uname']);
$email = mysqli_real_escape_string($con, $_POST['uname']);
$psw = mysqli_real_escape_string($con, $_POST['psw']);
$sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname') AND password='$psw'";
$result= mysqli_query($con,$sql) or die(mysqli_errno());
$trws= mysqli_num_rows($result);
if($trws==1){
$rws= mysqli_fetch_array($result);
$_SESSION['user']=1;
$_SESSION['username']=$rws['username'];
$_SESSION['password']=$rws['password'];
header("location:index.php?username=$uname&request=login&status=success");
}
else{
echo"Username and password does not matched";
}
}
?>
答案 0 :(得分:4)
当您第一次对密码进行哈希处理(用户注册时)时,会将结果哈希存储在数据库中。
$hash_pass = password_hash($_POST['password'], PASSWORD_DEFAULT);
$sql = "INSERT INTO users (id, full_name, email, password, username, sign_up_date, activated) VALUES ('', '$full_name', '$email', '$hash_pass', '$username', '$date', '1')";
第二次(当他们再次尝试登录时),您尝试登录,只需从数据库WHERE email ='{$ _POST ['email']}获取哈希值,然后使用password_verify函数:
if (!password_verify($_POST['login_password'], $hash_from_database)) { exit; }
答案 1 :(得分:3)
下面是password_verify()函数,这是您要找到的功能,只需传递第一个变量(该变量是用户输入的登录名),第二个变量是您在注册时存储的哈希密码,此函数将为您提供{{ 1}}响应。
bool您可以从下面的链接查看此功能的更多详细信息。 http://php.net/manual/en/function.password-verify.php
答案 2 :(得分:2)
要获取并匹配保存的哈希密码和用户登录密码:
在登录文件中替换该部分:
$sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname') AND password='$psw'";
$result= mysqli_query($con,$sql) or die(mysqli_errno());
$trws= mysqli_num_rows($result);
if($trws==1){
$rws= mysqli_fetch_array($result);
$_SESSION['user']=1;
$_SESSION['username']=$rws['username'];
$_SESSION['password']=$rws['password'];
header("location:index.php?username=$uname&request=login&status=success");
}
else{
echo"Username and password does not matched";
}
使用:
//Select user data based on email/username.
$sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname')";
$result= mysqli_query($con,$sql) or die(mysqli_errno());
$trws= mysqli_num_rows($result);
if($trws==1){
$rws= mysqli_fetch_array($result);
//Verify the hashed password and the username login password.
if( password_verify($psw, $rws['password']) ){
$_SESSION['user']=1;
$_SESSION['username']=$rws['username'];
$_SESSION['password']=$rws['password'];
header("location:index.php?username=$uname&request=login&status=success");
}
}
else{
echo"Username and password does not matched";
}