PHP password_hash(),password_verify()

我的注册脚本接受用户的密码,然后使用PHP的password_hash函数对密码进行加密,然后将其放入数据库中。当我使用刚刚创建的用户登录时,出现了检查密码是否相同的错误。就我而言,不是。在登录脚本中调用password_verify函数时,我在做什么错?


寄存器


if($_SERVER["REQUEST_METHOD"] == "POST"){

    function secure($data){

        $data = trim($data);

        $data = stripslashes($data);

        $data = htmlspecialchars($data);

        return($data);

    }


    $p_num = secure($_POST["p_number"]);

    $first_name = secure($_POST["first_name"]);

    $last_name = secure($_POST["last_name"]);

    $email = secure($_POST["email"]);

    $password = secure($_POST["pw"]);

    $verify_password = secure($_POST["pw_verify"]);

    $program = secure($_POST["program"]);

    $role = secure($_POST["role"]);

    $logged_in = 0;

    $registered = 0;

    $image = "../images/profile_placeholder.png";


    if($password != $verify_password){

        echo "Nope.  Passwords";

    }

    else{

        $registered = 1;

        $password = password_hash($password, PASSWORD_DEFAULT);

        $insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `image`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$image ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')";

        $query = mysqli_query($connect, $insert);

        echo "Success!";

    }

}

这是我执行var_dump时得到的:


string(1) "1" string(16) "$2y$10$0aysCso3b"

很明显,密码没有匹配在一起。因此,在注册脚本上,密码被散列并发送到数据库。然后,当用户登录时,登录脚本会查看用户输入的登录密码,然后使用password_verify将其与数据库中的哈希密码进行比较。但是,哈希密码不接受未哈希的密码作为匹配项。我不明白的是,为什么?


慕哥6287543
浏览 922回答 3
3回答

暮色呼如

朋友,因为我们使用唯一的用户名登录,因此我们必须仅使用用户名从数据库中获取密码/数据。例:<?php&nbsp; &nbsp; $connect = mysqli_connect($localhost, $username, $pwd, $database) or die("Opps some thing went wrong");&nbsp; &nbsp; if (isset($_POST['submit'])) {&nbsp; &nbsp; &nbsp; extract($_POST);&nbsp; &nbsp; &nbsp;// Get Old Password from Database which is having unique userName&nbsp; &nbsp; &nbsp;$sqlQuery = mysqli_query($connect, "select * from loginTable where User='$username'");&nbsp; &nbsp; &nbsp;$res = mysqli_fetch_array($sqlQuery);&nbsp; &nbsp; &nbsp;$current_password = $res['userPassword'];&nbsp; &nbsp; &nbsp;if (password_verify($enteredPassword, $current_password)) {&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; /* If Password is valid!! */&nbsp; &nbsp; &nbsp; &nbsp; $_SESSION['id'] = $res['id'];&nbsp; &nbsp; &nbsp; &nbsp; header("location: home.php");&nbsp; &nbsp; &nbsp;}&nbsp; &nbsp; &nbsp;else {&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; /* If Invalid password Entered */&nbsp; &nbsp; &nbsp; &nbsp; $alt = "Login Failed! Wrong user ID or Password";&nbsp; &nbsp; &nbsp; &nbsp; header("location: index.php?m=$alt");&nbsp; &nbsp; &nbsp;}&nbsp; }?>它正在为我工作...我正在从数据库中获取密码,并使用PHP API与输入的密码进行比较,即password_verify($ enteredPassword,$ current_password)

缥缈止盈

您让我检查数据库字段长度是正确的。不是255,那是打破它的原因。非常感谢您帮助我解决这个问题。我也在研究准备好的语句,我习惯于手动阻止SQL注入,直到最近我才听说过它们,到目前为止,我发现它们非常简单。再次感谢您的帮助。
打开App,查看更多内容
随时随地看视频慕课网APP