我有php可以提取正确的登录数据,以及用户输入的密码,两者均被哈希化。使用password_verify()时会显示false。错误报告不返回任何错误。我似乎找不到为什么它不起作用。
存储的密码为:$2y$10$pah82g8RHELhYP/MJEGNcuOFeg6u60.NUTigLSxrezhMMCAc7jvSi
用户密码哈希为:$2y$10$gd9GsmfchKKLwPX1jG.6YevuGZgSltLG7tfCW3WSklxBW6GTBxkxe
验证返回:bool(false)
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
//Defining variables
$usernameErr = $passErr = "";
$username = $password = "";
$loginBool = true;
// Error check the username
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["username"])) {
$usernameErr = "Please enter a Username";
$loginBool = false;
} else {
$username = test_input($_POST["username"]);
//check if username only contains valid characters
if (!preg_match("/^[a-zA-Z0-9-_]*$/", $username)) {
$usernameErr = "Only letters numbers and hyphens allowed";
$loginBool = false;
}
$_SESSION["User"] = $username;
}
// Error check the password
if(empty($_POST["password"])) {
$passErr = "Please Enter a password";
$loginBool = false;
} else {
$password = test_input($_POST["password"]);
//Check if password has correct characters
if (!preg_match("/^[a-zA-Z0-9]*$/", $password)) {
$passErr = "Password is not in correct format" ;
$loginBool = false;
}
$password = hash_pass($password);
}
// Connecting to server if no errors present
if ($loginBool = true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
// Query
$describeQuery = "SELECT Username FROM Users WHERE Username = '$username';";
$results = sqlsrv_query($conn, $describeQuery, array(), array("Scrollable" => "buffered"));
//Checking if result is returned
$rowCount = sqlsrv_num_rows($results);
if($rowCount === false) {
echo "error";
}
//checking only one result is returned
else {
if($rowCount == 1) {
//Selecting password
$describeQuery = "SELECT Pass FROM UserInfo WHERE Username = '$username'";
$results = sqlsrv_query($conn, $describeQuery, array(), array("Scrollable" => "buffered"));
//Checking if result is returned
$rowCount = sqlsrv_num_rows($results);
if($rowCount === false) {
echo "error";
}
else {
$rowCount = sqlsrv_num_rows($results);
if($rowCount === false) {
echo "error";
}
else {
if($rowCount ==1) {
while($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$storedPass = $row['Pass'];
}
echo $storedPass;
echo "<br>". $password;
$verification = password_verify($password, $storedPass);
echo "<br>";
var_dump($verification);
}
}
}
}
else {
$usernameErr = "User Not Found";
}
}
}
else {
}
}
//sanitizing data simple
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
//hashing the pass
function hash_pass($hashed_pass) {
$hashed_pass = password_hash($hashed_pass, PASSWORD_BCRYPT);
return $hashed_pass;
}
?>
目前,SQL注入不是问题,这纯粹是为了使验证正确。完成此操作后,将担心注射。 PHP版本是最新的。数据库是SQL Server(T-SQL)。
编辑1 ------------
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
//Defining variables
$usernameErr = $passErr = "";
$username = $password = "";
$loginBool = true;
// Error check the username
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["username"])) {
$usernameErr = "Please enter a Username";
$loginBool = false;
} else {
$username = $_POST["username"];
if (!preg_match("/^[\w-_+]*$/", $username)) {
$usernameErr = "Only letters numbers and hyphens allowed";
$loginBool = false;
}
//Setting session variable
else {
$_SESSION["User"] = $username;
}
}
//Error checking the password
if(empty($_POST["password"])) {
$passErr = "Please Enter a password";
$loginBool = false;
}
else {
//Check if password has correct characters
if (!preg_match("/^[a-zA-Z0-9]*$/", $password)) {
$passErr = "Password is not in correct format" ;
$loginBool = false;
}
else {
$hashed_pass = password_hash($password, PASSWORD_BCRYPT);
}
}
//if no errors present, connect to and check user
if($loginBool == true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
$SelectQuery = "SELECT Username FROM Users WHERE Username = ?";
//Initialize params and prepare statement
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$rowCount = sqlsrv_num_rows($results);
if ($rowCount != 1) {
}
else {
$SelectQuery = "SELECT Pass FROM UserInfo WHERE Username = ?";
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$rowCount = sqlsrv_num_rows($results);
$storedPass = $row['Pass'];
echo "Stored Password is " . $storedPass . "<br><br>";
echo "User password is " . $hashed_pass;
}
$verification = password_verify($hashed_pass, $storedPass);
echo "<br><br>";
var_dump($verification);
}
}
}
}
}
}
?>
根据注释,重新格式化的代码在验证时仍然返回false
编辑2 -------------------
if($loginBool == true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
$SelectQuery = "SELECT Username, Pass FROM UserInfo WHERE Username = ?";
//Initialize params and prepare statement
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$user = $row['Username'];
$PassFromDatabase = $row['Pass'];
echo $user . "<br><br>";
echo $PassFromDatabase;
$rowCount = sqlsrv_num_rows($results);
if ($rowCount == 1) {
$verified = password_verify($password, $PassFromDatabase);
var_dump($verified);
}
}
}
}
更改了代码以一次性提取所需的数据,使其更易于阅读。 Bool仍然返回false,正确提取了数据库中的哈希值以及用户名。