PHP验证哈希密码在我的功能中不起作用

时间:2019-05-04 06:32:54

标签: php function mysqli postman

我正在尝试为我的网站创建一个API,为此我已经为此创建了一个函数。但是该功能无法使用POST功能在POSTMAN中验证我的密码。我一生无法理解自己哪里出了问题。

使用php哈希函数放置数据库中的密码:

    $password =password_hash($pass, PASSWORD_DEFAULT);                      

public function userLogin($username, $password){
    $stmt = $this->con->prepare("SELECT password FROM farms WHERE farmname = ? ");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $row = $stmt->get_result()->fetch_assoc();
    $hash = $row['password'];
    if (password_verify($hash, $password)) {
        return $stmt->num_rows > 0; 
    }
}

Login.php文件

require_once '../includes/DbOperations.php';
$response = array();

if($_SERVER['REQUEST_METHOD']=='POST'){
    if(isset($_POST['username']) and isset($_POST['password'])){

        $db = new DbOperations(); 

        if($db->userLogin($_POST['username'], ($_POST['password']))){
            $user = $db->getUserByUsername($_POST['username']);
            $response['error'] = false; 
            $response['username'] = $user['farmname'];
        }else{
            $response['error'] = true; 
            $response['message'] = "Invalid username or password";          
        }
    }else{
        $response['error'] = true; 
        $response['message'] = "Required fields are missing";
    }
}

echo json_encode($response);

我没有得到用户名,而是不断收到错误消息:

  

{“错误”:true,“消息”:“无效的用户名或密码”}

3 个答案:

答案 0 :(得分:4)

交换参数:

if (password_verify($password,$hash)) {

答案 1 :(得分:2)

我认为userLogin函数应该返回一个值(true / false),而不管密码是否匹配,以便if / else逻辑起作用。由于password_verify的返回值为true或false,因此可以简单地返回。

public function userLogin($username, $password){
    $sql='select `password` from `farms` where `farmname` = ?'
    $stmt=$this->con->prepare( $sql );

    if( !$stmt )return false;
    $stmt->bind_param( 's', $username );

    $res=$stmt->execute();
    if( !$res )return false;

    $stmt->store_result();
    $stmt->bind_result( $pwd );
    $stmt->fetch();
    $stmt->free_result();
    $stmt->close();

    return password_verify( $password, $pwd );
}

-

曾经在车库里忙碌,但根据我数据库中的数据迅速整理了上述功能的一些演示。

<?php
    if( $_SERVER['REQUEST_METHOD']=='POST' ){


        $dbhost =   'localhost';
        $dbuser =   'root'; 
        $dbpwd  =   'xxx'; 
        $dbname =   'experiments';
        $db     =   new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );

        /* 
            the class from which userLogin originates was unknown so I guessed
            and made an ultra basic representation of what it might be.
        */
        class user{
            private $con;

            public function __construct( $con ){
                $this->con=$con;
            }

            public function userLogin($username, $password){
                $sql='select `password` from `farms` where `farmname` = ?';

                /*
                    as I do not have a table `farms` I chose another
                    table that has a hashed password column to test against.
                */
                $sql='select `hashpwd` from `users` where `username`=?';
                $stmt=$this->con->prepare( $sql );

                if( !$stmt )return false;
                $stmt->bind_param( 's', $username );

                $res=$stmt->execute();
                if( !$res )return false;

                $stmt->store_result();
                $stmt->bind_result( $pwd );
                $stmt->fetch();
                $stmt->free_result();
                $stmt->close();

                return password_verify( $password, $pwd );
            }       
        }//end class


        /* instantiate the class with the db as an argument */
        $user=new user( $db );

        /* capture POST vars */
        $username=filter_input( INPUT_POST,'username',FILTER_SANITIZE_STRING );
        $password=filter_input( INPUT_POST,'password',FILTER_SANITIZE_STRING );

        /* test if the password was OK or not... */
        if( $user->userLogin($username,$password) ){
            echo "OK";
        } else {
            echo "Bogus";
        }
        exit();
    }
?>
<!DOCTYPE html>
<html lang='en'>
    <head>
        <meta charset='utf-8' />
        <title>Farm - Form - mySQLi</title>
    </head>
    <body>
        <form method='post'>
            <input type='text' name='username' />
            <input type='password' name='password' />
            <input type='submit' />
        </form>
    </body>
</html>

毫不奇怪,结果是"OK"表示该功能按预期工作。因此,总而言之,我建议问题出在其他地方

答案 2 :(得分:0)

我认为您的函数在if之后需要else语句

例如:

if (password_verify($hash, $password)) {
        return $stmt->num_rows > 0; 
    }
else{}