尝试验证哈希密码,如果输入的密码为true,但不是,则什么也不会发生。
这意味着在'else'之后写的任何内容都不起作用。
代码是这样的:
if (password_verify($password, $hash)) {
while ($row = $x->fetch_assoc()) {
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $username;
?>
<div class="right">You are logged in!</div>
<script>
setTimeout(function () {
window.location.href = "admin/adminpanel.php";
}, 2000);
</script>
<?php
}
} else {
echo "Wrong"; //Here I tried both echoing something or using html but none of them worked
?>
<div class="wrong">Username or password is invalid</div>
<?php
}
更新
这是完整的代码,如果需要的话:
PHP:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$q = "SELECT * FROM users WHERE username='$username'";
$x = $conn->query($q);
$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
if (password_verify($password, $hash)) {
while ($row = $x->fetch_assoc()) {
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $username;
?>
<div class="right">You are logged in!</div>
<script>
setTimeout(function () {
window.location.href = "admin/adminpanel.php";
}, 2000);
</script>
<?php
}
} {
?>
<div class="wrong">Username or Password is invalid</div>
<?php
}
}
HTML:
<form method="post" autocomplete="off">
<input name="username" id="username" placeholder="Username" maxlength="20">
<input name="password" id="password" type="password" placeholder="Password" maxlength="20">
<input class="loginbutton" type="submit" value="Login">
</form>
答案 0 :(得分:0)
现在,您的代码可以成功跟踪。这意味着您一次拥有password_verify($password, $hash) === true
和while ($row = $x->fetch_assoc()) {
等于true。
但是对于第二个条件失败$x->fetch_assoc() === false
的情况,您什么也不做。然后php会跟随您的if ... else ...
语句。
为避免这种情况,我建议删除您的else
行。当if { ... }
从未发生时,这会将代码流更改为在while
之后执行。
}
// else {
echo "Wrong"; //Here I tried both echoing something or using html but none of them worked
?>
<div class="wrong">Username or password is invalid</div>
<?php
//}
或者您可以删除while
循环。我看不到您在任何地方使用$row
。
//while ($row = $x->fetch_assoc()) {
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $username;
?>
<div class="right">You are logged in!</div>
<script>
setTimeout(function () {
window.location.href = "admin/adminpanel.php";
}, 2000);
</script>
<?php
//}
更新,您的代码应更像
(我认为:
-您正在使用mysqli
-用户名在该表中是唯一的
-第password
列存储用户密码的哈希
)
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $conn->prepare("SELECT `username`, `password` FROM users WHERE username= ?";
$stmt->bind_param('s', $username);
$stmt->bind_result($name, $hash);
if ($stmt->fetch()) {
if (password_verify($password, $hash)) {
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $username;
?>
<div class="right">You are logged in!</div>
<script>
setTimeout(function () {
window.location.href = "admin/adminpanel.php";
}, 2000);
</script>
<?php
}
}
?>
<div class="wrong">Username or Password is invalid</div>
<?php
}
答案 1 :(得分:0)
如果我简化了您所拥有的,并删除了mysqli_escape调用-本质上就是您所剩下的:
<?php
if (
password_verify(
$_POST['password'],
password_hash($_POST['password'], PASSWORD_BCRYPT)
)
) {
echo 'Verified';
} else {
echo 'Not verified.';
}
现在应该始终满足上述条件(仔细观察),并显示“已验证”。
上面的代码中的逻辑有缺陷。
要解决:您要从数据库中检索以前保存的密码的哈希值,然后进行验证(而不是刚刚提交/发布的密码的哈希值)。
上面在逻辑上有缺陷的方法的演示: https://3v4l.org/C88H2