PHP登录无错误,但哈希时密码不相等
我在注册时加密我的密码,我想创建一个检查密码的登录页面。我将用户在登录页面中写入的密码进行散列,并检查它是否与数据库中的密码相同 但当我在登录页面中散列真实密码时,它并不等于数据库中的密码。在这种情况下,SQL注入或其他安全问题并不重要。我搜索太多了,但我不能解决这个问题。谁能帮帮我吗 login.phpPHP登录无错误,但哈希时密码不相等,php,sql,database,web,hash,Php,Sql,Database,Web,Hash,我在注册时加密我的密码,我想创建一个检查密码的登录页面。我将用户在登录页面中写入的密码进行散列,并检查它是否与数据库中的密码相同 但当我在登录页面中散列真实密码时,它并不等于数据库中的密码。在这种情况下,SQL注入或其他安全问题并不重要。我搜索太多了,但我不能解决这个问题。谁能帮帮我吗 login.php <?php include_once "connection.php"; if (isset($_POST['submit'])) { // <- Code will r
<?php
include_once "connection.php";
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$pa = $_POST['password'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)
$pas = "SELECT pass FROM studenttable WHERE nickname='$username'";
$result = mysqli_query($con, $pas) or die("Error: ".mysqli_error($con)); // assign the return value of mysqli_query to $res
echo "mysqli_query successed <br>";
if($result === FALSE) {
die(mysql_error()); // TODO: better error handling
}else{
if(mysqli_num_rows($result) != 0){
while ($row = $result->fetch_assoc()) {
$pass = $row['pass'];
echo "pass is = $pass <br>";
}
echo "pass: $pass ----------------- password: $password <br>";
if(password_verify($pa , $pass)){
echo "login successfully";
echo "password: $pa ................. pass: $pass <br>";
}
else {
echo "pa: $pa ------------ pass: $pass<br>";
echo "wrong password";
//header('Location: logindif.html');
}
}
}
}}
?>
<?php
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked
// Here the database is included. No need for mysqli_select_db
$conn = new mysqli('localhost', 'root', '123456', 'inputdatabase');
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
session_start();
$_SESSION['user'] = 'username';
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)
// Its always good to prepare your sql statements.
$prep = $conn->prepare("INSERT INTO studenttable (nickname, pass) VALUES (?,?)");
$stmt = $conn->prepare("SELECT nickname FROM studenttable WHERE nickname=?");
$stmt->bind_param("s", $username);
$sameuser= mysqli_real_escape_string($conn, $_POST['username']);
if (!empty($username)) {
$result=mysqli_query($con,$stmt);
$mostrar = $result->num_rows;
if($mostrar==0){
$prep->bind_param("ss", $username, $password);
$send = $prep->execute();
if ($send === TRUE) {
echo "New record created successfully"; //<-- You won't get to see this because of the next line.
header('Location: index.php');
exit();
} else {
echo "Error: " . $conn->error;
header('Location: signupsqlerror.html');
exit();
}
}else {
header('Location: signupdif.html');
exit();
}
}
$prep->close();
$conn->close();
}
?>
您的数据库密码列不够长,正在截断值:
因此,建议将结果存储在可扩展到60个字符以上的数据库列中(最好选择255个字符)
您需要一个至少60个字符长的列,最好是255个字符,以便将来进行校对
不幸的是,在45个字符的列中插入60个字符的字符串不会引起任何错误,它只会切掉散列的最后一部分。登录时不要对密码进行散列。。。。使用password\u验证表单上输入的明文值和从数据库中检索到的散列值$password=password\u散列($\u POST['password'],password\u默认值)登录时该行的意义是什么?如果没有名为$pa
、$pas
、$pass
和$password
的变量,这段代码可能更容易理解。因为我花了很多精力$pa、$pas、$pass都在那里。对不起。我在登录时删除$password\u散列。但是密码仍然是假的。当我在注册中加密密码时,我应该使用salt吗?我将db pass varchar大小更改为60,并看到登录成功密码。非常感谢你。