好的,所以我的代码有些棘手,我正在使用password_hash,并且在Register.php页面上可以正常工作,但是当我尝试将其实现为我的代码时,它无法正常工作,因此如果有人将代码重新添加到这里,可以尝试或指导我正确的方向,我应该在编码时做到这一点,但我从来没有。下面的代码
我想实现password_hash和password_verify
if (!($user -> LoggedIn()))
{
if (isset($_POST['logINBoss']))
{
$username = htmlspecialchars($_POST['username']);
$password = htmlspecialchars($_POST['password']);
$errors = array();
if (!ctype_alnum($username) || strlen($username) < 3 || strlen($username) > 15)
{
//$errors[] = 'Username Must Be Alphanumberic And 4-15 characters in length';
}
if (empty($username) || empty($password))
{
$errors[] = '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button><i class="mdi mdi-check-all"></i>Fill in all fields.</div></center>">';
}
$SQL = $odb->prepare("SELECT `status` FROM `users` WHERE `username` = :username");
$SQL->execute(array(':username' => $username));
$status = $SQL->fetchColumn(0);
if($status == 1)
{
$SQL = $odb->prepare("SELECT `reason` FROM `bans` WHERE `username` = :username");
$SQL->execute(array(':username' => $username));
$ban = $SQL->fetchColumn(0);
header('location: banned.php');
}
if (empty($errors))
{
$SQLCheckLogin = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `username` = :username AND `password` = :password");
$SQLCheckLogin -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
$countLogin = $SQLCheckLogin -> fetchColumn(0);
if ($countLogin == 1)
{
$SQLGetInfo = $odb -> prepare("SELECT `username`, `ID`, `status` FROM `users` WHERE `username` = :username AND `password` = :password");
$SQLGetInfo -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
$userInfo = $SQLGetInfo -> fetch(PDO::FETCH_ASSOC);
if ($countLogin == 1)
{
$logAddr = $odb->prepare("INSERT INTO `login_history` (`username`,`ip`,`date`,`http_agent`) VALUES (:user, :ip, UNIX_TIMESTAMP(NOW()), :agent);");
$logAddr->execute(array( ":user" => $username, ":ip" => $_SERVER['REMOTE_ADDR'], ":agent" => $_SERVER['HTTP_USER_AGENT']));
htmlspecialchars($_SESSION['username'] = $userInfo['username']);
htmlspecialchars($_SESSION['ID'] = $userInfo['ID']);
echo '<center><div class="sufee-alert alert with-close alert-success alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button><i class="mdi mdi-check-all"></i>Login Successful!</div></center><meta http-equiv="refresh" content="1;url=index.php">';
}
else
{
echo '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button><i class="mdi mdi-check-all"></i>You are Banned!</div></center>';
}
}
else
{
echo '<center><div class="sufee-alert alert with-close alert-warning alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button><i class="mdi mdi-check-all"></i>Login Failed!</div></center>';
}
}
else
{
echo '<div class="alert alert-danger"><p><strong>ERROR:</strong><br />';
foreach($errors as $error)
{
echo '-'.htmlspecialchars_decode($error).'<br />';
}
echo '</div>';
}
}
}
答案 0 :(得分:1)
从数据库中获取用户时,请按用户名(不按用户名和密码)进行搜索。
从数据库中检索到哈希之后,请勿使用password_hash,因为它将为您提供不同的哈希!最好使用password_verify:http://php.net/manual/en/function.password-verify.php
通过这种方式可以验证密码,这就是password_verify存在的原因,因为password_hash会加盐以更好地保护密码,并且即使使用相同的纯文本也可以提供不同的哈希值。