如何在PHP中修复登录函数
我有这段代码,在某人写下用户名和密码后运行,即使我插入了正确的用户名和密码,它也会显示错误的用户名/密码!我已经检查了我是否拼写错误,但没有任何帮助。我是否也要分享我的注册页面的外观/工作方式?有人能帮忙吗 我的代码:如何在PHP中修复登录函数,php,sql,Php,Sql,我有这段代码,在某人写下用户名和密码后运行,即使我插入了正确的用户名和密码,它也会显示错误的用户名/密码!我已经检查了我是否拼写错误,但没有任何帮助。我是否也要分享我的注册页面的外观/工作方式?有人能帮忙吗 我的代码: mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); if (session_status() == PHP_SESSION_NONE) { session_start(); } // initializin
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
// initializing variables
# $username = "";
# $password = "";
# $email = "";
$errors = array();
require("php_db_info.php");
// connect to the database
$connection = @mysqli_connect($servername, $username1, $password, $dbname) or die("Error: Couldn't connect to the database.");
mysqli_select_db($connection,$dbname);
// LOGIN USER
if (isset($_POST['login_user'])) {
$username20 = mysqli_real_escape_string($connection, $_POST['username']);
$password120 = mysqli_real_escape_string($connection, $_POST['password']);
if (empty($username20)) {
array_push($errors, "Username is required");
}
if (empty($password120)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password_hash = password_hash($password120, PASSWORD_DEFAULT);
if(password_verify($password120, $password_hash)) {
$query = "SELECT * FROM users WHERE username='$username20' AND password='$password_hash'";
$results = mysqli_query($connection, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
# $_SESSION['password'] = $password;
$_SESSION['success'] = "You are now logged in";
$hour = time() + 15 * 24 * 60 * 60;
setcookie('c_username', $username20, $hour);
setcookie('c_password', $password_hash, $hour);
header('location: home.php');
} else {
array_push($errors, "Wrong username/password combination!");
}
} else {
array_push($errors, "Unknown Error!");
}
}
}
?>
HTML:
<?php include('server_login.php') ?>
<?php include('show_password.js');?>
<!DOCTYPE html>
<html>
<head>
<title>Log in - Rewardino</title>
<link rel="stylesheet" type="text/css" href="/css/register3.css">
<style>
.modal {
padding-top: 10%;
}
.error {
width: 100%;
margin: 0px auto;
padding: 8px;
border: 1px solid #a94442;
color: #a94442;
background: #f2dede;
border-radius: 5px;
text-align: left;
}
</style>
</head>
<body>
<?php
include 'loader.php';
?>
<div class="modal">
<form method="post" action="login.php" class="modal-content">
<div class="container1">
<h2>Login</h2>
<hr>
<?php include('errors.php'); ?><br>
<div class="input-group">
<label>Username</label>
<input placeholder="Username" type="text" name="username">
</div>
<div class="input-group">
<label>Password</label>
<input placeholder="Password" type="password" name="password">
</div>
<div class="row">
<div class="input-group">
<div class="col-sm-12">
<button type="submit" class="btn signupbtn" name="login_user">Login</button>
</div>
</div>
<p>
New Member? <a href="register.php">Register</a><br><br>
<a href="enter_email.php">Forgot your password?</a>
</p>
</div>
</div>
</form>
</div>
</body>
</html>
REGISTRATION CODE:
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
session_start();
function getValue1($r) {
if (!isset($_GET[$r])) {
return false;
}
return $_GET[$r];
}
// initializing variables
$username = "";
$email = "";
$errors = array();
require("php_db_info.php");
// connect to the database
$connection = mysqli_connect($servername, $username1, $password, $dbname) or die("Error: Couldn't connect to the database.");
mysqli_select_db($connection,$dbname);
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($connection, $_POST['username']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password_1 = mysqli_real_escape_string($connection, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($connection, $_POST['password_2']);
if (getValue1('r')) {
$r = $_POST['ref'];
}
if (getValue('r')) {
$referral = $_GET['ref'];
} else {
$referral = "-";
}
$referral = '-';
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($username)) { array_push($errors, "Username is required."); }
if (empty($email)) { array_push($errors, "Email is required."); }
if (empty($password_1)) { array_push($errors, "Password is required."); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match.");
}
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($connection, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists.");
}
if ($user['email'] === $email) {
array_push($errors, "Email already exists.");
}
}
#$token_verify = substr(uniqid('', true), -100);
#$sql_verify = "INSERT INTO password_reset(email, token) VALUES ('$email', '$token_verify')";
#$results_verify = mysqli_query($connection, $sql);
// Finally, register user if there are no errors in the form
if(filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (count($errors) == 0) {
$password2 = password_hash($password_1, PASSWORD_DEFAULT);
$query = "INSERT INTO users (username, email, password, coins, alltimecoins, earnedcoins, referralcoins, vouchercoins, paypal, bitcoin, referred_by, deleted, verified) VALUES ('$username', '$email', '$password2', '0', '0', '0', '0', '0', '-', '-', '-', '0', '0')";
mysqli_query($connection, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
$hour = time() + 15 * 24 * 60 * 60;
setcookie('c_username', $username, $hour);
setcookie('c_password', $password2, $hour);
header("Location: home.php");
}
} else {
array_push($errors, "The e-mail does not exist.");
}
}
?>
正如我在评论中所说,您使用的密码散列和密码验证函数的方式是错误的 在数据库中使用密码\u散列存储密码时。不要在select的where子句中包含密码 用户每次在表单中输入密码时所散列的哈希值会因每次请求而更改 例如:
echo password_hash("admin",PASSWORD_DEFAULT);
第一次运行上述代码时,它可能会生成:
$2y$10$J2FhQhOYLZ2zdiHad9TNn.HeWZ6ULkh.DjP9EJPN0UtjlUD7GcxHC
当您再次运行相同的代码时,它将为您提供不同的哈希:
$2年$10$RAWCHV0ESD5xOTB6N2R4YOBGTLIP8OQ7mm2/X2ujCchPAs9RkrwC
因此,您需要做的是从数据库中选择密码,然后使用password\u verify验证用户输入的密码与数据库中的密码
其次,在运行有用户输入的查询时,应该始终使用prepared语句
以下是代码的外观:
我将只从您选择的部分开始,我将省略其他代码
<?php
if (isset($_POST['login_user'])) {
$username20 = isset($_POST['username']) ? $_POST['username'] : null;
$password120 = isset($_POST['password']) ? $_POST['password'] : null;
if (empty($username20)) {
array_push($errors, "Username is required");
}
if (empty($password120)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
// $query = "SELECT * FROM users WHERE username='$username20' AND password='$password_hash'";
$query = "SELECT userID,password FROM users WHERE username= ? ";
$stmt = $connection->prepare($query);
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($userID,$password);
$stmt->store_result();
if ($stmt->num_rows == 1) //check if the row exists
{
if ($stmt->fetch()) //fetching the contents of the row
{
//verify user password
if (password_verify($password120, $password)) {
//password_verify("userenteredPassword",PasswordFromDatabase);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
$hour = time() + 15 * 24 * 60 * 60;
setcookie('c_username', $username20, $hour);
setcookie('c_password', $password, $hour);
header('location: home.php');
} else {
array_push($errors, "Password and username does not match");
}
}
} else {
array_push($errors, "Invalid user account");
}
} else {
array_push($errors, "Unknown Error!");
}
}
?>
您使用的密码\u验证和密码\u散列错误way@MasivuyeCokile这将显示:未知错误!你能给我们看一下注册码吗?您可能已经输入了mysqli\u real\u escape\u string$connection,$\u POST['password'];这将产生一个不同的散列。顺便说一下,使用参数而不是mysqli\u real\u escape\u string您应该将代码简化为相关部分,以便更容易找到problem@Cid嗯,奇怪。我更改了错误的用户名/密码以显示$password\u散列,并输入了相同的密码5次,每次都输入了不同的散列。太好了,我投票了。我不会告诉用户他输入了错误的用户名或密码,因此潜在的违规行为不会告诉用户存在错误的用户名或密码。我通常只是简单地用一些更广泛的东西发出警告,比如错误凭证致命错误:调用成员函数bind_param onboolean@GlobalAlliance这是因为$stmt=$connection->prepare$query;失败。它返回false。$query=从username=?的用户中选择userID和密码;您的数据库中有用户ID吗?您需要在db@GlobalAllianceFixed中写入精确的列!谢谢你们两位的帮助!