Fatal编程技术网
  • php/
  • 如何在PHP中修复登录函数

如何在PHP中修复登录函数

php sql

如何在PHP中修复登录函数,php,sql,Php,Sql,我有这段代码,在某人写下用户名和密码后运行,即使我插入了正确的用户名和密码,它也会显示错误的用户名/密码!我已经检查了我是否拼写错误,但没有任何帮助。我是否也要分享我的注册页面的外观/工作方式?有人能帮忙吗 我的代码: mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); if (session_status() == PHP_SESSION_NONE) { session_start(); } // initializin

我有这段代码,在某人写下用户名和密码后运行,即使我插入了正确的用户名和密码,它也会显示错误的用户名/密码!我已经检查了我是否拼写错误,但没有任何帮助。我是否也要分享我的注册页面的外观/工作方式?有人能帮忙吗

我的代码:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

if (session_status() == PHP_SESSION_NONE) {
  session_start();
}

// initializing variables
# $username = "";
# $password = "";
# $email    = "";
$errors = array(); 
   require("php_db_info.php");

// connect to the database
$connection = @mysqli_connect($servername, $username1, $password, $dbname) or die("Error: Couldn't connect to the database.");
   mysqli_select_db($connection,$dbname);

// LOGIN USER
 if (isset($_POST['login_user'])) {
  $username20 = mysqli_real_escape_string($connection, $_POST['username']);
  $password120 = mysqli_real_escape_string($connection, $_POST['password']);

  if (empty($username20)) {
    array_push($errors, "Username is required");
  }
  if (empty($password120)) {
    array_push($errors, "Password is required");
  }
if (count($errors) == 0) {
  $password_hash = password_hash($password120, PASSWORD_DEFAULT);
 if(password_verify($password120, $password_hash)) {
    $query = "SELECT * FROM users WHERE username='$username20' AND password='$password_hash'";
    $results = mysqli_query($connection, $query);
      if (mysqli_num_rows($results) == 1) {
        $_SESSION['username'] = $username;
        # $_SESSION['password'] = $password;
        $_SESSION['success'] = "You are now logged in";
          $hour = time() + 15 * 24 * 60 * 60;
        setcookie('c_username', $username20, $hour);
        setcookie('c_password', $password_hash, $hour);
        header('location: home.php');
    } else {
      array_push($errors, "Wrong username/password combination!");
  } 
} else {
  array_push($errors, "Unknown Error!");
}
}
}
?>

HTML: 

<?php include('server_login.php') ?>
<?php  include('show_password.js');?>
<!DOCTYPE html>
<html>
<head>
  <title>Log in - Rewardino</title>
  <link rel="stylesheet" type="text/css" href="/css/register3.css">
  <style>
      .modal {
          padding-top: 10%;
      }  
      .error {
  width: 100%; 
  margin: 0px auto; 
  padding: 8px; 
  border: 1px solid #a94442; 
  color: #a94442; 
  background: #f2dede; 
  border-radius: 5px; 
  text-align: left;
      }
  </style>
</head>
<body>
    <?php
    include 'loader.php';
    ?>
  <div class="modal">   
  <form method="post" action="login.php" class="modal-content">
      <div class="container1">
      <h2>Login</h2>
  <hr>
    <?php include('errors.php'); ?><br>
    <div class="input-group">
      <label>Username</label>
      <input placeholder="Username" type="text" name="username">
    </div>
    <div class="input-group">
      <label>Password</label>
      <input placeholder="Password" type="password" name="password">
    </div>
        <div class="row">
            <div class="input-group">
            <div class="col-sm-12">
                 <button type="submit" class="btn signupbtn" name="login_user">Login</button>
            </div>
            </div>
            <p>
        New Member? <a href="register.php">Register</a><br><br>
        <a href="enter_email.php">Forgot your password?</a>
    </p>
            </div>
    </div>
      </form>
    </div>
</body>
</html>

REGISTRATION CODE:

<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

session_start();

function getValue1($r) {
    if (!isset($_GET[$r])) {
        return false;
    }
    return $_GET[$r];
}

// initializing variables
$username = "";
$email    = "";
$errors = array(); 
   require("php_db_info.php");

// connect to the database
$connection = mysqli_connect($servername, $username1, $password, $dbname) or die("Error: Couldn't connect to the database.");
   mysqli_select_db($connection,$dbname);

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($connection, $_POST['username']);
  $email = mysqli_real_escape_string($connection, $_POST['email']);
  $password_1 = mysqli_real_escape_string($connection, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($connection, $_POST['password_2']);
  if (getValue1('r')) {
    $r = $_POST['ref'];
}
  if (getValue('r')) {
    $referral = $_GET['ref'];
} else {
      $referral = "-";
  } 
$referral = '-';
  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required."); }
  if (empty($email)) { array_push($errors, "Email is required."); }
  if (empty($password_1)) { array_push($errors, "Password is required."); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match.");
  }
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($connection, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists.");
    }

    if ($user['email'] === $email) {
      array_push($errors, "Email already exists.");
    }
  }

  #$token_verify = substr(uniqid('', true), -100);
  #$sql_verify = "INSERT INTO password_reset(email, token) VALUES ('$email', '$token_verify')";
  #$results_verify = mysqli_query($connection, $sql);

  // Finally, register user if there are no errors in the form
  if(filter_var($email, FILTER_VALIDATE_EMAIL)) {
     if (count($errors) == 0) {
        $password2 = password_hash($password_1, PASSWORD_DEFAULT);
        $query = "INSERT INTO users (username, email, password, coins, alltimecoins, earnedcoins, referralcoins, vouchercoins, paypal, bitcoin, referred_by, deleted, verified) VALUES ('$username', '$email', '$password2', '0', '0', '0', '0', '0', '-', '-', '-', '0', '0')";
        mysqli_query($connection, $query);
        $_SESSION['username'] = $username;
        $_SESSION['success'] = "You are now logged in";
        $hour = time() + 15 * 24 * 60 * 60;
        setcookie('c_username', $username, $hour);
        setcookie('c_password', $password2, $hour);  
        header("Location: home.php");
  }
} else {
  array_push($errors, "The e-mail does not exist.");
}
}
?>
正如我在评论中所说,您使用的密码散列和密码验证函数的方式是错误的

在数据库中使用密码\u散列存储密码时。不要在select的where子句中包含密码

用户每次在表单中输入密码时所散列的哈希值会因每次请求而更改

例如:

echo password_hash("admin",PASSWORD_DEFAULT);
第一次运行上述代码时,它可能会生成:

$2y$10$J2FhQhOYLZ2zdiHad9TNn.HeWZ6ULkh.DjP9EJPN0UtjlUD7GcxHC

当您再次运行相同的代码时,它将为您提供不同的哈希:

$2年$10$RAWCHV0ESD5xOTB6N2R4YOBGTLIP8OQ7mm2/X2ujCchPAs9RkrwC

因此,您需要做的是从数据库中选择密码,然后使用password\u verify验证用户输入的密码与数据库中的密码

其次,在运行有用户输入的查询时,应该始终使用prepared语句

以下是代码的外观: 我将只从您选择的部分开始,我将省略其他代码

<?php
if (isset($_POST['login_user'])) {

    $username20  = isset($_POST['username']) ? $_POST['username'] : null;
    $password120 = isset($_POST['password']) ? $_POST['password'] : null;

    if (empty($username20)) {
        array_push($errors, "Username is required");
    }
    if (empty($password120)) {
        array_push($errors, "Password is required");
    }
    if (count($errors) == 0) {

        // $query = "SELECT * FROM users WHERE username='$username20' AND password='$password_hash'";
        $query = "SELECT userID,password FROM users WHERE username= ? ";

        $stmt = $connection->prepare($query);
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($userID,$password);
        $stmt->store_result();
        if ($stmt->num_rows == 1) //check if the row exists
            {
            if ($stmt->fetch()) //fetching the contents of the row
                {
                //verify user password
                if (password_verify($password120, $password)) {
                    //password_verify("userenteredPassword",PasswordFromDatabase);

                    $_SESSION['username'] = $username;
                    $_SESSION['success']  = "You are now logged in";
                    $hour                 = time() + 15 * 24 * 60 * 60;
                    setcookie('c_username', $username20, $hour);
                    setcookie('c_password', $password, $hour);
                    header('location: home.php');

                } else {

                    array_push($errors, "Password and username does not match");
                }

            }

        } else {

            array_push($errors, "Invalid user account");
        }



    } else {
        array_push($errors, "Unknown Error!");
    }
}

?>
您使用的密码\u验证和密码\u散列错误way@MasivuyeCokile这将显示:未知错误!你能给我们看一下注册码吗?您可能已经输入了mysqli\u real\u escape\u string$connection,$\u POST['password'];这将产生一个不同的散列。顺便说一下,使用参数而不是mysqli\u real\u escape\u string您应该将代码简化为相关部分,以便更容易找到problem@Cid嗯,奇怪。我更改了错误的用户名/密码以显示$password\u散列,并输入了相同的密码5次,每次都输入了不同的散列。太好了,我投票了。我不会告诉用户他输入了错误的用户名或密码,因此潜在的违规行为不会告诉用户存在错误的用户名或密码。我通常只是简单地用一些更广泛的东西发出警告,比如错误凭证致命错误:调用成员函数bind_param onboolean@GlobalAlliance这是因为$stmt=$connection->prepare$query;失败。它返回false。$query=从username=?的用户中选择userID和密码;您的数据库中有用户ID吗?您需要在db@GlobalAllianceFixed中写入精确的列!谢谢你们两位的帮助!