我正在为我的学校的比赛创建一个项目。我已经正确完成了注册部分。当涉及到登录部分时,我做错了。我尝试在其他许多方面查找问题网站,但找不到它。即使我在函数中输入密码,该函数也会返回false。
我尝试使用password_BCRYPT(从$ _POST ['password']中获得的密码)进行哈希处理,然后使用hash_equals()将其与数据库中的密码进行比较,但是没有用
这是login.php 编辑:我忘了添加register.php和file_db.php。对不起!
<?php
require "file_db.php";
$email= $mysqli->escape_string($_POST['email']);
echo $_POST['email'];
$result= $mysqli->query("SELECT *FROM users WHERE email='$email'");
if($result->num_rows == 0) {
$SESSION['message']="Nu exista niciun utilizator cu acel email";
header("location:error.php");
} else {
$user=$result->fetch_assoc();
$hash=substr($user['password'],0,60);
if(password_verify($_POST['password'],$hash)) {
$_SESSION['email']=$user['email'];
$_SESSION['firstname']=$user['firstname'];
$_SESSION['lastname']=$user['lastname'];
$_SESSION['active']=$user['active'];
$_SESSION['loggedin']=true;
echo $_SESSION['loggedin'];
echo 1;
} else{
$_SESSION['message']="Ai introdus o parola gresita!";
}
}
?>
<?php
require "file_db.php";
$firstname = $mysqli->escape_string($_POST['firstname']);
$lastname = $mysqli->escape_string($_POST['lastname']);
$email = $mysqli->escape_string($_POST['email']);
$password =$mysqli->escape_string(password_hash($_POST['password'],PASSWORD_BCRYPT));
$hash = $mysqli->escape_string(md5(rand(0,1000) ) );
$_SESSION['email']=$_POST['email'];
$_SESSION['firstname']=$_POST['firstname'];
$_SESSION['lastname']=$_POST['lastname'];
$result = $mysqli->query("SELECT * FROM users WHERE email ='$email' ") or die($mysqli->error());
if($result->num_rows > 0)
{
$_SESSION['message']='Exista un utilizator cu acest email deja!';
header("location:error.php");
}
else{
$sql="INSERT INTO users (firstname,lastname,email,password,hash)".
"VALUES('$firstname','$lastname','$email','$password','$hash')";
if( $mysqli->query($sql) )
{
$_SESSION['active']=0;
$_SESSION['message']="Link de confirmare a fost trimis la $email, te rugam sa iti verifici contul accesand link-ul trimis in email!";
$to = $email;
$subject='Account Verification';
$messageb='
Salut'.$firstname.',
Multumim pentru ca te-ai inscris!
Apasa pe acest link pentru a-ti activa contul:
https://localhost/aWEBDEVFII/verify.php?email='.$email.'&hash'.$hash;
mail($to, $subject, $messageb);
header("location:success.php");
}
else{
$_SESSION['message']='Inregistrarea a intampinat o eroare!';
header("location: error.php");
}
}
?>
``````
<?php
session_start();
$host='localhost';
$user='root';
$pass='';
$db='filesdb';
$mysqli= new mysqli($host,$user,$pass,$db) or die($mysqli->error);
?>
答案 0 :(得分:0)
首先,为什么要将substr()
函数应用于散列密码
substr()
函数用于从字符串的指定位置等处剪切字符串的一部分。
如果要检查输入密码的长度,应使用strlen()
如果密码长度超过60,则向用户返回一条消息
if (strlen($password)<60) {
echo "less than 60";
}
else
if (strlen($password)>40) {
echo "more than 60";
}
else {
echo "exactly 60";
}
要使用password_verify()
,您应该能够在注册过程中首先对用户密码进行哈希处理
通过password_hash()
函数。例如
$password ='nancymore12344444';
$options = array("cost"=>4);
$hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);
同样,这将是您的登录脚本中的问题,因为我没有看到您是否通过session_start()初始化会话
请尝试下面的代码,同时确保已放置数据库凭据和所有表列。你会没事的
所以您的注册php看起来像
<?php
//require "file_db.php";
$conn = mysqli_connect("localhost","root","","demo");
if(!$conn){
die("Connection error: " . mysqli_connect_error());
}
if(isset($_POST['submit'])){
$firstName = mysqli_real_escape_string($conn,$_POST['first_name']);
$surName = mysqli_real_escape_string($conn,$_POST['surname']);
$email = mysqli_real_escape_string($conn,$_POST['email']);
$password = mysqli_real_escape_string($conn,$_POST['password']);
$options = array("cost"=>4);
$hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);
$sql = "insert into users (first_name, last_name,email, password) value('".$firstName."', '".$surName."', '".$email."','".$hashPassword."')";
$result = mysqli_query($conn, $sql);
if($result)
{
echo "Registration successfully";
}
}
?>
您的登录名
<?php
//require "file_db.php";
$conn = mysqli_connect("localhost","root","","demo");
if(!$conn){
die("Connection error: " . mysqli_connect_error());
}
if(isset($_POST['submit'])){
$email = mysqli_real_escape_string($conn,$_POST['email']);
$password = mysqli_real_escape_string($conn,$_POST['password']);
$sql = "select * from users where email = '".$email."'";
$rs = mysqli_query($conn,$sql);
$numRows = mysqli_num_rows($rs);
if($numRows == 1){
$row = mysqli_fetch_assoc($rs);
if(password_verify($password,$row['password'])){
echo "Password verified and ok";
// initialize session if things where ok.
session_start();
session_regenerate_id();
$_SESSION['surname'] = $row['surname'];
$_SESSION['first_name'] = $row['first_name'];
$_SESSION['email'] = $row['email'];
// take me to welcome.php page
header('Location: welcome.php');
}
else{
echo "Wrong Password details";
}
}
else{
echo "User does not exist";
}
}
?>