我搜索了大约1个小时,以使这个小代码段正常工作,但是我没有找到错误,该方法总是给我一个错误。我尝试将数据库中的哈希与“哈希”一起使用,但它也无法正常工作。
注册:
$username = mysqli_real_escape_string($cxn, strip_tags(trim($_POST['txtUsername'])));
$password_1 = mysqli_real_escape_string($cxn, strip_tags($_POST['pwd1']));
$password_2 = mysqli_real_escape_string($cxn, strip_tags($_POST['pwd2']));
if(empty($password_1)) {
array_push($errors, "Password is required");
} else if(strlen($password_1) < 8) {
array_push($errors, "Password must be at least 8 characters long");
}
if($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
if(count($errors) == 0) {
$hash = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO user (Username,Passwort)
VALUES ('$username','$hash')";
mysqli_query($cxn, $query) or die("Order failed(register)." . mysqli_error($cxn));
在datebase中,密码为:varchar(255)。
登录:
$username = mysqli_real_escape_string($cxn, trim($_POST['txtUsername']));
$password = mysqli_real_escape_string($cxn, $_POST['pwd1']);
if(empty($username)) {
array_push($errors, "Username is required");
}
if(empty($password)) {
array_push($errors, "Password is required");
}
if((count($errors) == 0)) {
$sql = "SELECT Username FROM user WHERE Username='$username'";
$result = mysqli_query($cxn, $sql) or die("Could not execute query(Username)!");
$num = mysqli_num_rows($result);
if($num > 0) { //Login-Name wurde gefunden
$sql = "SELECT Passwort FROM user WHERE Username='$username' LIMIT 1";
$result = mysqli_query($cxn, $sql) or die("Could not execute query(Password)!");
$dsatz = mysqli_fetch_assoc($result);
$hash = $dsatz['Passwort'];
if(password_verify($password, $hash)) {
echo "success"
} else {
array_push($errors, "False or password");
}
答案 0 :(得分:-1)
在您的注册代码中,password_hash的密码未定义$ password,只需将$ password更改为对密码进行哈希处理的$ password_1
$username = mysqli_real_escape_string($cxn, strip_tags(trim($_POST['txtUsername'])));
$password_1 = $_POST['pwd1'];
$password_2 = $_POST['pwd2'];
if (empty($password_1)) {array_push($errors,"Password is required");}
else if(strlen($password_1) <8 ){array_push($errors,"Password must be at least 8 characters long");}
if ($password_1 != $password_2) {array_push($errors, "The two passwords do not match");}
if(count($errors) == 0){
$hash = password_hash($password_1, PASSWORD_DEFAULT);
$query = "INSERT INTO user (Username,Passwort)
VALUES ('$username','$hash')";
mysqli_query($cxn,$query)or die ("Order failed(register).".mysqli_error($cxn));
如果您的用户在密码中使用了“ <”,它也会被strip_tags函数分隔。 Use html Purifier
正如Jay所说,您不应在密码上使用mysqli_real_escape_string,因为它会转义分隔符,而应仅对用户提供的内容进行哈希处理并将其存储在数据库中。用户将记住他作为密码写的内容,而不是您清理过的密码
而且您的第二个文件包含一些错误,无需为“密码”运行相同的查询
$username = mysqli_real_escape_string($cxn, trim($_POST['txtUsername']));
$password = $_POST['pwd1']; // don't escape passwords
if(empty($username)) {
array_push($errors, "Username is required");
}
if(empty($password)) {
array_push($errors, "Password is required");
}
if((count($errors) == 0)) {
$sql = "SELECT Passwort,Username FROM user WHERE Username='$username'";//fetch username and password once
$result = mysqli_query($cxn, $sql) or die("Could not execute query(Username)!");
$num = mysqli_num_rows($result);
if($num > 0) { //Login-Name wurde gefunden
$dsatz = mysqli_fetch_assoc($result);
$hash = $dsatz['Passwort'];
if(password_verify($password, $hash)) {
echo "success";
} else {
array_push($errors, "False or password");
}
}