Php 密码\u验证不断返回false
好的,我的一个页面上有密码散列 我想知道如何将密码\u验证应用于以下代码: 函数selectUser($conn、$username、$password) { 我自己也试过了,这让我很困惑 多谢各位 还得到了这个:Php 密码\u验证不断返回false,php,mysql,Php,Mysql,好的,我的一个页面上有密码散列 我想知道如何将密码\u验证应用于以下代码: 函数selectUser($conn、$username、$password) { 我自己也试过了,这让我很困惑 多谢各位 还得到了这个: if(!isset($_POST["Login"])) { header("Location:new-user.php"); } $username=trim($_POST['username']); $password=$_POS
if(!isset($_POST["Login"]))
{
header("Location:new-user.php");
}
$username=trim($_POST['username']);
$password=$_POST['password'];
$username= htmlspecialchars($username);
$validForm = true;
if (empty($_POST["username"]))
{
$validForm=false;
}
if (empty($_POST["password"]))
{
$validForm=false;
}
if (!$validForm) {
$error = "please ensure all fields are filled in";
include("add.php");
return false;
}
$conn=getConn();
$successLogin=selectUser($conn,$username,$password);
if($successLogin)
{
header( "Location: search.php" );
}else{
$error = "The details you have entered are incorrect";
include("add.php");
}
$conn=NULL; //close the connection
更新 也尝试过这个:知道这不起作用,用echo语句测试,但仍然没有运气
function hash_input() {
$password = "sfafgsd";
return $password = password_hash($_POST['password'], PASSWORD_BCRYPT);
}
function selectUser($conn, $username, $password)
{
$query = "SELECT password FROM login WHERE username = :username";
$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
$stmt->execute();
echo $username . " " . $password;
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
echo "WE MADE IT";
if(password_verify(hash_input($password), $row['password'])){
$_SESSION['username'] = $username;
echo "Welcome, you are now logged in as " . $username;
return true;
}
//echo "Your details were not found";
sleep(1);
return false;
}
else
{
//echo "Your details were not found";
return false;
}
}
马克给出的评论完全涵盖了以下内容 事件顺序:
- 将用户名发送到数据库并从找到的行中收集哈希密码
- 运行通过
给出的密码字符串,与散列值进行比较password\u verify
- 返回此结果(
/true
)false
- 庆祝一下,喝杯咖啡或茶
$\u会话
密码数据,这是个坏主意。密码数据(哈希或明文)不应保留在此函数调用之后。如果出于某种原因需要将nonce值与此帐户/成员资格/登录关联,则应使用数据库中其自身列中的随机字符串设置此值
改进的功能代码
function selectUser($conn, $username, $password)
{
$query = "SELECT password FROM login WHERE username = :username LIMIT 1";
$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
// $stmt->bindValue(':password', $password); NO Don't do this.
$stmt->execute();
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
if(password_verify($password,$row['password'])){
$_SESSION['username'] = $username;
// $_SESSION['password'] = $password; DO NOT DO THIS
echo "Welcome, you are now logged in as " . $username;
return true;
}
//bad password
//echo "Your details were not found";
sleep(1); // it can be a good idea to add a forced pause on
// password fail to discourage brute force cracking.
return false;
}
//echo "Your details were not found";
return false;
}
您可以仅根据用户名检索登录记录,然后使用密码\u验证将用户输入的明文密码与从登录记录检索的哈希值进行比较。如何将其与用户输入的内容进行比较?首先更改数据库查询:
$query=“选择用户名,来自登录的密码其中用户名=:用户名”;您不知道数据库中存储的密码值,因此无法使用它检索正确的行
然后在获取$row时,可以使用password\u verify():if(password\u verify($password,$row['password'])进行测试
试一试,但运气不佳。不断带回因某些奇怪原因似乎不起作用的错误,不断返回false@JamesGreen请更新您的问题,并在最后附加函数的代码用法;使用错误日志
输出变量的内容。如果您有其他编码错误,也请检查日志在apache服务器上,看不到anything@JamesGreen有特定的PHP错误日志。通常您希望按原样查找这些日志。这也可能对您有所帮助。请同时显示您调用selectUser
函数的代码。
function selectUser($conn, $username, $password)
{
$query = "SELECT password FROM login WHERE username = :username LIMIT 1";
$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
// $stmt->bindValue(':password', $password); NO Don't do this.
$stmt->execute();
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
if(password_verify($password,$row['password'])){
$_SESSION['username'] = $username;
// $_SESSION['password'] = $password; DO NOT DO THIS
echo "Welcome, you are now logged in as " . $username;
return true;
}
//bad password
//echo "Your details were not found";
sleep(1); // it can be a good idea to add a forced pause on
// password fail to discourage brute force cracking.
return false;
}
//echo "Your details were not found";
return false;
}