PHP密码登录从用户输入和密码中获取密码,但不进行验证
我有php,它提取正确的登录数据,还有用户输入的密码,这两个都是散列的。当使用密码_verify时,它会显示false。错误报告不返回任何错误。我似乎不明白为什么它不起作用 存储的密码为:$2y$10$pah82g8RHELhYP/MJEGNcuOFeg6u60.NUTigLSxrezhMMCAc7jvSi 用户密码哈希为:$2y$10$gd9GsmfchKKLwPX1jG.6YEVUGZGSLTLG7TFCW3WSKLXBW6GTBXXXE 验证返回:boolfalse 目前,SQL注入并不重要,这纯粹是为了获得正确的验证。这项工作完成后,将担心注射。PHP版本是最新的。数据库是SQL Server T-SQL 编辑1------PHP密码登录从用户输入和密码中获取密码,但不进行验证,php,tsql,passwords,Php,Tsql,Passwords,我有php,它提取正确的登录数据,还有用户输入的密码,这两个都是散列的。当使用密码_verify时,它会显示false。错误报告不返回任何错误。我似乎不明白为什么它不起作用 存储的密码为:$2y$10$pah82g8RHELhYP/MJEGNcuOFeg6u60.NUTigLSxrezhMMCAc7jvSi 用户密码哈希为:$2y$10$gd9GsmfchKKLwPX1jG.6YEVUGZGSLTLG7TFCW3WSKLXBW6GTBXXXE 验证返回:boolfalse 目前,SQL注入并不重
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
//Defining variables
$usernameErr = $passErr = "";
$username = $password = "";
$loginBool = true;
// Error check the username
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["username"])) {
$usernameErr = "Please enter a Username";
$loginBool = false;
} else {
$username = $_POST["username"];
if (!preg_match("/^[\w-_+]*$/", $username)) {
$usernameErr = "Only letters numbers and hyphens allowed";
$loginBool = false;
}
//Setting session variable
else {
$_SESSION["User"] = $username;
}
}
//Error checking the password
if(empty($_POST["password"])) {
$passErr = "Please Enter a password";
$loginBool = false;
}
else {
//Check if password has correct characters
if (!preg_match("/^[a-zA-Z0-9]*$/", $password)) {
$passErr = "Password is not in correct format" ;
$loginBool = false;
}
else {
$hashed_pass = password_hash($password, PASSWORD_BCRYPT);
}
}
//if no errors present, connect to and check user
if($loginBool == true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
$SelectQuery = "SELECT Username FROM Users WHERE Username = ?";
//Initialize params and prepare statement
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$rowCount = sqlsrv_num_rows($results);
if ($rowCount != 1) {
}
else {
$SelectQuery = "SELECT Pass FROM UserInfo WHERE Username = ?";
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$rowCount = sqlsrv_num_rows($results);
$storedPass = $row['Pass'];
echo "Stored Password is " . $storedPass . "<br><br>";
echo "User password is " . $hashed_pass;
}
$verification = password_verify($hashed_pass, $storedPass);
echo "<br><br>";
var_dump($verification);
}
}
}
}
}
}
?>
if($loginBool == true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
$SelectQuery = "SELECT Username, Pass FROM UserInfo WHERE Username = ?";
//Initialize params and prepare statement
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$user = $row['Username'];
$PassFromDatabase = $row['Pass'];
echo $user . "<br><br>";
echo $PassFromDatabase;
$rowCount = sqlsrv_num_rows($results);
if ($rowCount == 1) {
$verified = password_verify($password, $PassFromDatabase);
var_dump($verified);
}
}
}
}
更改代码以一次性提取所需数据,使其更易于阅读。Bool仍然返回false,正确地从数据库中提取哈希值,用户名也是如此 你删掉输入了吗?您是否通过密码检查输入?是否手动验证?检查WritePhonline.com中的第一个示例功能测试输入是否正在修剪它?至少我认为它是这样做的?测试输入是一团糟。不要用那个。参数化您的查询$loginBool=true是赋值而不是比较^[a-zA-Z0-9-\]*$也可以是^[\w-]*$您可能需要+,尽管$login bool已经修复,并且现在删除了测试输入。目前,我已经说过,在验证工作完成之前,查询不会被参数化,因为这只是一个项目啊,nvm,现在是学习参数化查询的好时机
if($loginBool == true) {
$server = 'sql.rde.hull.ac.uk';
$connectionInfo = array("Database"=>"rde_556278");
$conn = sqlsrv_connect($server, $connectionInfo);
$SelectQuery = "SELECT Username, Pass FROM UserInfo WHERE Username = ?";
//Initialize params and prepare statement
$params = array($username);
$results = sqlsrv_query($conn, $SelectQuery, $params, array("Scrollable" => "buffered"));
if($results === false) {
die (print_r(sqlsrv_errors(), true));
}
else {
while ($row = sqlsrv_fetch_array($results, SQLSRV_FETCH_ASSOC)) {
$user = $row['Username'];
$PassFromDatabase = $row['Pass'];
echo $user . "<br><br>";
echo $PassFromDatabase;
$rowCount = sqlsrv_num_rows($results);
if ($rowCount == 1) {
$verified = password_verify($password, $PassFromDatabase);
var_dump($verified);
}
}
}
}