sli*_*sct 4 php mysql password-hash
我已经更新了代码,脚本仍然返回"失败".信息.我必须遗漏一些东西,我已经听取了每个人的意见.那或者我只是愚蠢的大声笑!这是更新的代码:
require('../connect.php');
$username = $_POST['username-sign-in'];
$password = $_POST['password-sign-in'];
if true then exit() for {
empty($username);
empty($password);
}
if (isset($username, $password)) {
$getuser = $connection->prepare('SELECT `username`, `password`
FROM `users` WHERE `username` = ?');
$getuser->bind_param('s', $username);
$getuser->execute();
$userdata = $getuser->get_result();
$row = $userdata->fetch_array(MYSQLI_ASSOC);
echo 'Password from form: ' . $password . '<br />';
echo 'Password from DB: ' . $row['password'] . '<br />';
if (password_verify($password, $row['password'])) {
echo 'Success.';
exit();
}
else {
echo 'Fail.';
exit();
}
}
else {
echo 'Please enter your username and password.';
$connection->close();
exit();
}
signup.php
require('../connect.php');
$ip = $_SERVER['REMOTE_ADDR'];
$username = $_POST['username-sign-up'];
$password = $_POST['password-sign-up'];
$hashedpassword = password_hash($_POST['password-sign-up'],
PASSWORD_BCRYPT, ['cost' => 12]);
$email = strtolower($_POST['email-sign-up']);
if true then exit() for {
empty($username)
empty($password)
empty($email)
!filter_var($email, FILTER_VALIDATE_EMAIL)
strlen($username) < 2 || strlen($username) > 32
strlen($password) < 6 || strlen($password) > 32
}
$usernameandemailcheck = $connection->prepare('SELECT `username`, `email`
FROM `users` WHERE `username` = ? AND `email` = ?');
$usernameandemailcheck->bind_param('ss', $username, $email);
$usernameandemailcheck->execute();
$result = $usernameandemailcheck->get_result();
$row = $result->fetch_array(MYSQLI_ASSOC);
// .. Username and email validation
if (isset($username, $hashedpassword, $email)) {
// Create and send mail
$query = $connection->prepare('INSERT INTO users (`ip`, `username`,
`password`, `email`) VALUES (?, ?, ?, ?)');
$query->bind_param('ssss', $ip, $username, $hashedpassword, $email);
$query->execute();
// SUCCESS
}
else {
// FAILURE
}
Mik*_*ant 22
您不能对输入进行哈希处理,然后在数据库中对其进行查询,因为哈希每次都会使用不同的随机盐.因此,您可以将相同的密码散列一千次并获得1000个不同的结果.
您只需要在DB中查询与用户名相关的记录,然后将DB返回的密码哈希与输入密码进行比较password_verify().
此外,当最初在创建密码(使用password_hash())时将哈希写入数据库时,无需转义哈希. password_hash()在密码验证过程中根本不使用.
快速浏览一下功能,看来您可能以错误的方式进行了测试。
您应该将密码的散列版本存储在数据库中,然后将其与通过$ _POST提供的密码进行比较。
$getuser = $connection->prepare('SELECT `password`
FROM `users` WHERE `username` = ?');
$getuser->bind_param('s', $username);
$getuser->execute();
$userdata = $getuser->get_result();
$row = $userdata->fetch_array(MYSQLI_ASSOC);
echo 'Password from form: ' . $hashedpassword . '<br />';
echo 'Password from DB: ' . $row['password'] . '<br />';
if (password_verify($password, $row['password'])) {
// $password being $_POST['password-sign-in']
// $row['password'] being the hashed password saved in the database
echo 'Success.';
exit();
} else {
echo 'Fail.';
exit();
}
您是否尝试过更改单引号,例如':
$getuser = $connection->prepare('SELECT `username`, `password` FROM `users` WHERE `username` = ? AND `password` = ?');
$getuser->bind_param('ss', $username, $hashedpassword);
像这样的双引号"
$getuser = $connection->prepare("SELECT `username`, `password` FROM `users` WHERE `username` = ? AND `password` = ?");
$getuser->bind_param("ss", $username, $hashedpassword);
另外,你为什么要匹配password?也许这适用于您的测试用例:
$getuser = $connection->prepare("SELECT `username`, `password` FROM `users` WHERE `username` = ?");
$getuser->bind_param("s", $username);
编辑此外,当您进行检查时,您实际上是对密码进行了双重哈希处理:
if (password_verify($row['password'], $hashedpassword)) {
只需这样做:
if (password_verify($password, $row['password'])) {
问题是password_verify语法如下:
boolean password_verify ( string $password , string $hash )
您需要在第一个参数中发送纯文本/非哈希密码,然后将哈希值放在第二个参数中。试试看。