Codeigniter登录验证不正确的用户名&密码

时间:2015-06-27 07:26:18

标签: codeigniter

我使用php password_hash http://php.net/manual/en/function.password-hash.php来创建我的密码。并使用password_verify http://php.net/manual/en/function.password-verify.php来检查密码。

问题当我尝试验证我的密码时,它允许登录时不存在的用户名和密码,但阻止正确的用户名和密码?

出于某种原因,它又回到了前面?不确定为什么?

问题如何确保使用php password_verfiy验证不正确的用户名和密码

模型功能

public function login($username, $password) {
    $this->db->where('username', $username);
    $this->db->where('password', $this->validate_password($password));
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        return true;
    } else {
        return false;
    }
}

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return true;
    } else {
        return false;
    }
}

public function stored_hash() {
    $this->db->where('username', $this->input->post('username')); 
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        $row = $query->row();
        return $row->password;
    } else {
        return false;
    }
}

控制器登录 

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

class Login extends CI_Controller {

public function __construct() {
    parent::__construct();
    $this->lang->load('common/login', 'english');
    $this->load->model('common/model_login');
    $this->load->library('form_validation');
}

public function index() {
    $data['title'] = $this->lang->line('heading_title');

    $this->form_validation->set_rules('username', 'Username', 'trim|required');
    $this->form_validation->set_rules('password', 'Password', 'required|callback_validate_user');

    if ($this->form_validation->run() == FALSE) {

        $data['template'] = 'common/login_view';
        $this->load->view('common/template_view', $data);

    } else {

        redirect('common/dashboard');
    }
}

public function validate_user() {
    $username = $this->input->post('username');
    $password = $this->input->post('password');

    $result = $this->model_login->login($username, $password);

    if ($result) {

        $data = array(
            'is_logged' => true,
            'username' => $this->input->post('username')
        );  

        $this->session->set_userdata($data);

    } else {

        $this->form_validation->set_message('validate_user', $this->lang->line('error_login'));
        return false;
    }
}

}

1 个答案:

答案 0 :(得分:2)

问题在于您的validate_password功能,因为此功能会返回TRUEFALSE。如果密码匹配,则需要返回$password 

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return $password;// return password here
    } else {
        return false;
    }
}

更改您的login function,因为您已在validate_password()函数

中匹配了您的密码 
function login($username, $password) {

    if ($this->validate_password($password)) {
        $this->db->where('username', $username);
        $query = $this->db->get($this->db->dbprefix . 'user');

        if ($query->num_rows() > 0) {
            return true;
        } else {
            return false;
        }
    } else {
        return FALSE;
    }
}
相关问题
最新问题