gpt4 book ai didi

php - password_verify 不断带回假

转载 作者:行者123 更新时间:2023-11-29 05:57:49 26 4
gpt4 key购买 nike

好的,我已经在我的一个页面上使用了 password_hash。

我想知道如何将 password_verify 应用于以下代码:

函数 selectUser($conn, $username, $password){

$query = "SELECT username, password FROM login WHERE password = :password AND username = :username";

$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $password);
$stmt->execute();


if ($row = $stmt->fetch()) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
echo "Welcome, you are now logged in as " . $username;
return true;
}

else {
//echo "Your details were not found";
return false;
}

我自己试过了,它让我很困惑。

谢谢

还有这个:

if(!isset($_POST["Login"]))
{
header("Location:new-user.php");
}


$username=trim($_POST['username']);
$password=$_POST['password'];

$username= htmlspecialchars($username);
$validForm = true;

if (empty($_POST["username"]))
{
$validForm=false;
}
if (empty($_POST["password"]))
{
$validForm=false;
}
if (!$validForm) {

$error = "please ensure all fields are filled in";
include("add.php");
return false;

}


$conn=getConn();
$successLogin=selectUser($conn,$username,$password);
if($successLogin)
{
header( "Location: search.php" );
}else{
$error = "The details you have entered are incorrect";
include("add.php");
}

$conn=NULL; //close the connection

更新

也试过这个:知道这不起作用,用 echo 语句测试但仍然没有运气

function hash_input() {

$password = "sfafgsd";

return $password = password_hash($_POST['password'], PASSWORD_BCRYPT);
}



function selectUser($conn, $username, $password)
{
$query = "SELECT password FROM login WHERE username = :username";
$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
$stmt->execute();
echo $username . " " . $password;
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
echo "WE MADE IT";
if(password_verify(hash_input($password), $row['password'])){
$_SESSION['username'] = $username;
echo "Welcome, you are now logged in as " . $username;
return true;
}

//echo "Your details were not found";
sleep(1);
return false;
}
else
{
//echo "Your details were not found";
return false;
}
}

最佳答案

Mark 给出的评论完全涵盖了以下内容。

事件顺序:

  • 将用户名发送到数据库并从找到的行中收集散列 密码。
  • 运行通过password_verify给出的密码字符串与散列值进行比较
  • 返回此结果(true/false)。
  • 庆祝。喝杯咖啡或茶。

不需要 $_SESSION 密码数据,这是个坏主意。密码数据(散列或明文)不应保留在此函数调用之外。如果您出于某种原因确实需要有一个与此帐户/成员(member)资格/登录关联的随机数值,那么应该使用数据库中它自己的列中的随机字符串来设置它。

改进的函数代码

function selectUser($conn, $username, $password)
{
$query = "SELECT password FROM login WHERE username = :username LIMIT 1";
$stmt = $conn->prepare($query);
$stmt->bindValue(':username', $username);
// $stmt->bindValue(':password', $password); NO Don't do this.
$stmt->execute();

if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
if(password_verify($password,$row['password'])){
$_SESSION['username'] = $username;
// $_SESSION['password'] = $password; DO NOT DO THIS
echo "Welcome, you are now logged in as " . $username;
return true;
}
//bad password
//echo "Your details were not found";
sleep(1); // it can be a good idea to add a forced pause on
// password fail to discourage brute force cracking.
return false;
}
//echo "Your details were not found";
return false;
}

关于php - password_verify 不断带回假,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47717683/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com