我使用php password_hash http://php.net/manual/en/function.password-hash.php来创建我的密码。并使用password_verify http://php.net/manual/en/function.password-verify.php来检查密码。
问题当我尝试验证我的密码时,它允许登录时不存在的用户名和密码,但阻止正确的用户名和密码?
出于某种原因,它又回到了前面?不确定为什么?
问题如何确保使用php password_verfiy验证不正确的用户名和密码
模型功能
public function login($username, $password) {
$this->db->where('username', $username);
$this->db->where('password', $this->validate_password($password));
$query = $this->db->get($this->db->dbprefix . 'user');
if ($query->num_rows() > 0) {
return true;
} else {
return false;
}
}
public function validate_password($password) {
if (password_verify($password, $this->stored_hash())) {
return true;
} else {
return false;
}
}
public function stored_hash() {
$this->db->where('username', $this->input->post('username'));
$query = $this->db->get($this->db->dbprefix . 'user');
if ($query->num_rows() > 0) {
$row = $query->row();
return $row->password;
} else {
return false;
}
}
控制器登录
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class Login extends CI_Controller {
public function __construct() {
parent::__construct();
$this->lang->load('common/login', 'english');
$this->load->model('common/model_login');
$this->load->library('form_validation');
}
public function index() {
$data['title'] = $this->lang->line('heading_title');
$this->form_validation->set_rules('username', 'Username', 'trim|required');
$this->form_validation->set_rules('password', 'Password', 'required|callback_validate_user');
if ($this->form_validation->run() == FALSE) {
$data['template'] = 'common/login_view';
$this->load->view('common/template_view', $data);
} else {
redirect('common/dashboard');
}
}
public function validate_user() {
$username = $this->input->post('username');
$password = $this->input->post('password');
$result = $this->model_login->login($username, $password);
if ($result) {
$data = array(
'is_logged' => true,
'username' => $this->input->post('username')
);
$this->session->set_userdata($data);
} else {
$this->form_validation->set_message('validate_user', $this->lang->line('error_login'));
return false;
}
}
}
答案 0 :(得分:2)
问题在于您的validate_password
功能,因为此功能会返回TRUE
或FALSE
。如果密码匹配,则需要返回$password
public function validate_password($password) {
if (password_verify($password, $this->stored_hash())) {
return $password;// return password here
} else {
return false;
}
}
更改您的login function
,因为您已在validate_password()函数
function login($username, $password) {
if ($this->validate_password($password)) {
$this->db->where('username', $username);
$query = $this->db->get($this->db->dbprefix . 'user');
if ($query->num_rows() > 0) {
return true;
} else {
return false;
}
} else {
return FALSE;
}
}