即使密码不正确,我也始终可以登录。
我尝试将if (password_verify($this->concatPasswordWithSalt($password, $salt), $passwordHash))
更改为if ('aaa' === 'bbb')
,但它也返回true ...
以下是一些代码:
function getUser($email, $password)
{
$query = "SELECT name, password, salt FROM user WHERE email = ?";
if ($stmt = $this->con->prepare($query)) {
$stmt->bind_param("s", $email);
$stmt->execute();
$stmt->bind_result($name, $passwordHash, $salt);
if ($stmt->fetch()) {
if (password_verify($this->concatPasswordWithSalt($password, $salt), $passwordHash)) {
return true;
} else {
return false;
}
} else {
return false;
}
$stmt->close();
}
}
function concatPasswordWithSalt($password, $salt)
{
global $random_salt_length;
if ($random_salt_length % 2 == 0) {
$mid = $random_salt_length / 2;
} else {
$mid = ($random_salt_length - 1) / 2;
}
return
substr($salt, 0, $mid - 1) . $password . substr($salt, $mid, $random_salt_length - 1);
}
我使用以下代码将密码哈希插入数据库:
$passwordHash = password_hash($db->concatPasswordWithSalt($password, $salt), PASSWORD_DEFAULT);
function getSalt()
{
global $random_salt_length;
return bin2hex(openssl_random_pseudo_bytes($random_salt_length));
}
修改:
尝试在return false
的末尾添加getUser
,但仍然无法正常工作。所以也许login.php中出了点问题:
if (isset($input['email']) && isset($input['password'])) {
$email = $input['email'];
$password = $input['password'];
if (!$db->getUser($email, $password)) {
$response['status'] = 0;
$response['message'] = "Login successful";
} else {
$response['status'] = 1;
$response['message'] = "Invalid email or password";
}
} else {
$response['status'] = 2;
$response['message'] = "Missing mandatory parameters";
}
答案 0 :(得分:1)
您的问题:
if (!$db->getUser($email, $password)) {
$response['status'] = 0;
$response['message'] = "Login successful";
}
如果getUser
函数返回FALSE
,则表示登录成功。您已在函数前加上!
。