否则条件不做任何事情

时间:2019-03-19 13:14:27

标签: php mysql mysqli

尝试验证哈希密码,如果输入的密码为true,但不是,则什么也不会发生。
这意味着在'else'之后写的任何内容都不起作用。
代码是这样的:

if (password_verify($password, $hash)) {
        while ($row = $x->fetch_assoc()) {
            $_SESSION['logged_in'] = true;
            $_SESSION['username'] = $username;
            ?>
            <div class="right">You are logged in!</div>
            <script>
                setTimeout(function () {
                    window.location.href = "admin/adminpanel.php";
                }, 2000);
            </script>
            <?php
        }
    } else {
        echo "Wrong"; //Here I tried both echoing something or using html but none of them worked
        ?>
        <div class="wrong">Username or password is invalid</div>
        <?php
    }

更新

这是完整的代码,如果需要的话:
PHP:

 if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = mysqli_real_escape_string($conn, $_POST['username']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);
    $q = "SELECT * FROM users WHERE username='$username'";
    $x = $conn->query($q);
    $hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
    if (password_verify($password, $hash)) {
        while ($row = $x->fetch_assoc()) {
            $_SESSION['logged_in'] = true;
            $_SESSION['username'] = $username;
            ?>
            <div class="right">You are logged in!</div>
            <script>
                setTimeout(function () {
                    window.location.href = "admin/adminpanel.php";
                }, 2000);
            </script>
            <?php
        }
    }  {
        ?>
        <div class="wrong">Username or Password is invalid</div>
        <?php
    }

}

HTML:

<form method="post" autocomplete="off">
            <input name="username" id="username" placeholder="Username" maxlength="20">
            <input name="password" id="password" type="password" placeholder="Password" maxlength="20">
            <input class="loginbutton" type="submit" value="Login">
        </form>

2 个答案:

答案 0 :(得分:0)

现在,您的代码可以成功跟踪。这意味着您一次拥有password_verify($password, $hash) === truewhile ($row = $x->fetch_assoc()) {等于true。

但是对于第二个条件失败$x->fetch_assoc() === false的情况,您什么也不做。然后php会跟随您的if ... else ...语句。

为避免这种情况,我建议删除您的else行。当if { ... }从未发生时,这会将代码流更改为在while之后执行。

}
// else {
    echo "Wrong"; //Here I tried both echoing something or using html but none of them worked
    ?>
    <div class="wrong">Username or password is invalid</div>
    <?php
//}

或者您可以删除while循环。我看不到您在任何地方使用$row

 //while ($row = $x->fetch_assoc()) {
        $_SESSION['logged_in'] = true;
        $_SESSION['username'] = $username;
        ?>
        <div class="right">You are logged in!</div>
        <script>
            setTimeout(function () {
                window.location.href = "admin/adminpanel.php";
            }, 2000);
        </script>
        <?php
    //}

更新,您的代码应更像    (我认为:       -您正在使用mysqli       -用户名在该表中是唯一的       -第password列存储用户密码的哈希    )

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $stmt = $conn->prepare("SELECT `username`, `password` FROM users WHERE username= ?";
    $stmt->bind_param('s', $username);
    $stmt->bind_result($name, $hash);
    if ($stmt->fetch()) {
       if (password_verify($password, $hash)) {
            $_SESSION['logged_in'] = true;
            $_SESSION['username'] = $username;
            ?>
            <div class="right">You are logged in!</div>
            <script>
                setTimeout(function () {
                    window.location.href = "admin/adminpanel.php";
                }, 2000);
            </script>
            <?php
        }
    }  

    ?>
    <div class="wrong">Username or Password is invalid</div>
    <?php    
}

答案 1 :(得分:0)

如果我简化了您所拥有的,并删除了mysqli_escape调用-本质上就是您所剩下的:

<?php
if (
    password_verify(
        $_POST['password'],
        password_hash($_POST['password'], PASSWORD_BCRYPT)
    )
) {
    echo 'Verified';
} else {
    echo 'Not verified.';
}

现在应该始终满足上述条件(仔细观察),并显示“已验证”。

上面的代码中的逻辑有缺陷。

要解决:您要从数据库中检索以前保存的密码的哈希值,然后进行验证(而不是刚刚提交/发布的密码的哈希值)。

上面在逻辑上有缺陷的方法的演示: https://3v4l.org/C88H2