gpt4 book ai didi

PHP password_verify() 不适用于数据库

转载 作者:搜寻专家 更新时间:2023-10-30 23:45:52 26 4
gpt4 key购买 nike

我正在制作一个登录和注册系统。该系统可以正常工作,所以现在我必须为数据库存储的散列密码添加安全性。但是,当我从数据库中检索散列密码并将其与用户输入的密码进行比较时,它不起作用。

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost');
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error());

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
$user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
$pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
//$user = $_POST['user'];
//$pass = $_POST['pass'];
if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
$query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
$row = mysqli_fetch_array($query); //or die(mysqli_error($con));
$username = $row['userName'];
$pw = $row['pass'];//hashed password in database
//check username and password hash
echo $pw; //THIS PRINTS OUT NOTHING!!!
if($user==$username && password_verify($pass, $pw)) {
// $user and $pass are from POST
// $username and $pw are from the rows

//$_SESSION['userName'] = $row['pass'];
echo "Successfully logged in.";
}

else {
echo "Invalid.";
}
}
else{
echo "INVALID LOGIN";
}
}

if(isset($_POST['submit'])){
SignIn($con);
}
?>

所以当我尝试比较输入的文本密码和数据库中的散列密码时,上面的代码将回显“无效”。由于某些未知原因,echo $pw 没有打印出任何内容。

这是注册 php 脚本:

<?php
//Connection Config
define('DB_HOST','localhost');
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password
$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error());
//Registration
function Register($con){
if(isset($_POST['user']) && isset($_POST['pass'])){
$username = $_POST['user'];
$email = $_POST['email'];
$password = $_POST['pass'];

//Hashing of password
$hpassword = password_hash($password, PASSWORD_DEFAULT);
$query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

if($query){
//Query successful
echo "User has been created successfully";
}else{
echo "Error1";
}
}else{
echo "Error2";
}
}

if(isset($_POST['submit'])){
Register($con);
}
?>

我已确保该列是 varchar(255) 并且足够长。有谁知道为什么验证失败?谢谢!

注意:密码散列后,我计划添加 SQL 注入(inject)防御。

最佳答案

您正在插入散列密码,这很好。但是在登录时,您将 POST 字符串中的版本与数据库中的散列版本进行比较。从逻辑上讲,它们不会相同。你应该改变:

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"

进入

SELECT * FROM UserName where userName = '$_POST[user]'

事实上,您应该在所有地方添加针对 SQL 注入(inject)的保护。最好对每个选择、插入、更新、删除等以及您在这些语句中使用的每个值使用准备好的语句。

关于PHP password_verify() 不适用于数据库,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28729759/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com