我的PHP登录表单一直显示错误的密码
我的登录表单如下所示:我的PHP登录表单一直显示错误的密码,php,login,Php,Login,我的登录表单如下所示: <form class="form-signin" method="post" id="login-form"> <div id="img_container" class="imgcontainer"> <img src="../images/img_avatar2.png" alt="Avatar" class="avatar"> </div>
<form class="form-signin" method="post" id="login-form">
<div id="img_container" class="imgcontainer">
<img src="../images/img_avatar2.png" alt="Avatar" class="avatar">
</div>
<?php
if(isset($msg)){
echo $msg;
}
?>
<div id="container" class="container">
<label><b>Navn</b></label>
<input type="text" placeholder="Enter E-mail" name="email" required>
<label><b>Password</b></label>
<input type="password" placeholder="Enter Password" name="psw" required>
<button type="submit" name="btn-login" id="btn-login">Login!</button>
<input type="checkbox" checked="checked"> Rember me
<span class="psw"><a href="#">Forgot your passowrd?</a></span>
</div>
</form>
<?php
session_start();
require_once '../db/dbconnect.php';
if (isset($_POST['btn-login'])) {
$email = strip_tags($_POST['email']);
$password = strip_tags($_POST['psw']);
$email = $DBcon->real_escape_string($email);
$password = $DBcon->real_escape_string($password);
$query = $DBcon->query("SELECT user_id, email, psw FROM Users WHERE email='$email'");
$row=$query->fetch_array();
$count = $query->num_rows; // if email/password are correct returns must be 1 row
if (password_verify($password, $row['psw']) && $count==1) {
$_SESSION['userSession'] = $row['user_id'];
header("Location: student.php");
} else {
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> Invalid E-mail or Password !
</div>";
}
$DBcon->close();
}
?>
从
password\u hash()
函数可以生成一些非常长的文本(当前默认值为60个字符),因此现在将字段设置为尽可能大将允许所需的长度。其次,PHP团队正在向该方法添加更多的算法,这意味着散列可以而且将会增长。我们也不想限制用户使用他们选择的密码或密码短语的能力。最好给变化留点余地
此外:在散列之前,请确保或使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。请查看以下代码
session_start();
require_once '../db/dbconnect.php'; //Am assuming u are using PDO
if (isset($_POST['btn-login'])) {
$email = strip_tags($_POST['email']);
$password = $_POST['password'];
$query = "SELECT user_id, email, psw, FROM Users WHERE email = :email";
$queryStat = $DBcon->prepare($query);
$queryStat->execute(['email'=>$email]);
$row = $queryStat->fetch(PDO::FETCH_ASSOC);
$encryptedPassword = $row['psw'];
if (password_verify($password, $encryptedPassword)) { //No need for row count
$_SESSION['userSession'] = $row['user_id'];
header('Location: student.php');
}else{
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> Invalid E-mail or Password !
</div>";
}
}
session_start();
需要_once'../db/dbconnect.php'//我假设你正在使用PDO
如果(isset($_POST['btn-login'])){
$email=strip_标签($_POST['email']);
$password=$_POST['password'];
$query=“从电子邮件=:email的用户中选择用户标识、电子邮件、psw”;
$queryStat=$DBcon->prepare($query);
$queryStat->execute(['email'=>$email]);
$row=$queryStat->fetch(PDO::fetch\U ASSOC);
$encryptedPassword=$row['psw'];
如果(password\u verify($password,$encryptedPassword)){//不需要行计数
$\u SESSION['userSession']=$row['user\u id'];
标题('Location:student.php');
}否则{
$msg=”
无效的电子邮件或密码!
";
}
}
您已打开mysql注入!您需要使用准备好的语句
,real\u escape\u string()
是不够的。我确信这是因为您的密码是散列的,至少我希望如此!您知道最初用来保存密码的散列方法吗?在散列之前,请确保您已经使用了或使用了任何其他清理机制。这样做会更改密码并导致不必要的额外编码。我的哈希方法是:$hashed\u password=password\u hash($upass,password\u DEFAULT);在散列密码之前,您是否以与此处相同的方式清理密码?在验证之前,您正在运行strip\u tags()
和real\u escape\u string()
。如果你在散列和存储密码之前不这么做,密码将永远不会匹配。这对我很有帮助!
session_start();
require_once '../db/dbconnect.php'; //Am assuming u are using PDO
if (isset($_POST['btn-login'])) {
$email = strip_tags($_POST['email']);
$password = $_POST['password'];
$query = "SELECT user_id, email, psw, FROM Users WHERE email = :email";
$queryStat = $DBcon->prepare($query);
$queryStat->execute(['email'=>$email]);
$row = $queryStat->fetch(PDO::FETCH_ASSOC);
$encryptedPassword = $row['psw'];
if (password_verify($password, $encryptedPassword)) { //No need for row count
$_SESSION['userSession'] = $row['user_id'];
header('Location: student.php');
}else{
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> Invalid E-mail or Password !
</div>";
}
}