我正在实施password_verify作为登录页面的一部分。
我已经开始使用纯文本来测试它所做的一切,然后使用password_hash在注册页面上使用哈希密码,然后在登录页面上添加password_verify。
密码正在成功散列,我已通过PHPMyAdmin检查过,但我无法让我的代码在注册页面上进行检查。
以下是登录页面上与拉行和测试相关的代码:
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
第4列是数据库中的密码,因此在数组中,密码在数组中应为值3。
我花了很多时间查看它被使用的例子,但没有运气,任何帮助表示赞赏!
完整的PHP代码
<?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages
if (empty($_POST['e-mail'])) {//if the email supplied is empty
$error[] = 'You forgot to enter your Email ';
} else {
if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
$Email = $_POST['e-mail'];
} else {
$error[] = 'Your EMail Address is invalid ';
}
}
if (empty($_POST['Password'])) {
$error[] = 'Please Enter Your Password ';
} else {
$Password = $_POST['Password'];
}
if (empty($error))//if the array is empty , it means no error found
{
$query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";
$result_check_credentials = mysqli_query($dbc, $query_check_credentials);
if(!$result_check_credentials){//If the QUery Failed
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
{ // A match was made.
$row = mysqli_fetch_row($query_check_credentials);
$password = $row[3];
$verify = password_verify($_POST['Password', $password]);
if ($verify) {
$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable
header("Location: page.php");
}
}else
{
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
} else {
echo '<div class="errormsgbox"> <ol>';
foreach ($error as $key => $values) {
echo ' <li>'.$values.'</li>';
}
echo '</ol></div>';
}
if(isset($msg_error)){
echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);
} // End of the main Submit conditional.
?>
答案 0 :(得分:0)
我假设当你说“第4行是数据库中的密码”时,你实际上指的是列而不是行?为什么还不能在结果中引用实际的fieldname而不是列索引?也就是说,我的猜测是POSTed数据已被urlencoded并且可能包含虚假空格,所以我建议在验证测试之前修剪和url解码POSTed数据。尝试回显这些值以查看您实际获得的数据。
<?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
session_start();
$error = array();
if (empty($_POST['e-mail'])) {
$error[] = 'You forgot to enter your Email ';
} else {
if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
$Email = $_POST['e-mail'];
} else {
$error[] = 'Your EMail Address is invalid ';
}
}
if (empty($_POST['Password'])) {
$error[] = 'Please Enter Your Password ';
} else {
$Password = $_POST['Password'];
}
if ( empty( $error ) ){
$query_check_credentials = "SELECT * FROM `members` WHERE `Email`='$Email' AND `Activation` IS NULL";
$result_check_credentials = mysqli_query( $dbc, $query_check_credentials );
if( !$result_check_credentials ){
echo 'Query Failed ';
}
if (@mysqli_num_rows($result_check_credentials) == 1){
$row = mysqli_fetch_row( $query_check_credentials );
/* is $row[3] definitely fetching the correct value from the db? */
$password = trim( $row[3] );
/* What does password_verify actually do? I guess it's a simple test using === ? */
$verify = password_verify( trim( urldecode( $_POST['Password'] ) ), $password );
/*
$verify = trim( urldecode( $_POST['Password'] ) ) === $password ? true : false;
*/
echo 'Do they match?<br />' . trim( urldecode( $_POST['Password'] ) ) . '<br />' . $password;
if ( $verify ) {
/* ? perhaps a session variable name here ? $_SESSION['dbresults'] */
$_SESSION = mysqli_fetch_array( $result_check_credentials, MYSQLI_ASSOC );
header("Location: page.php");
}
}else {
$msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
}
} else {
echo '<div class="errormsgbox"> <ol>';
foreach ($error as $key => $values) {
echo '<li>'.$values.'</li>';
}
echo '</ol></div>';
}
if(isset($msg_error)){
echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);
} // End of the main Submit conditional.
?>
答案 1 :(得分:0)
我没有使用mySQLi所以不确定这些小技巧和窍门,但以下内容可能会有用。显然这不包括你原来的所有代码,但如果用这个创建一个页面并运行它,你应该会看到一些记录返回...
$link = mysqli_connect("localhost", "username", "password", "database");
if ( mysqli_connect_errno() ) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$query = "SELECT * FROM `members` WHERE `Email`='$Email' AND `Activation` IS NULL";
if ($result = mysqli_query($link, $query)) {
while ($row = $result->fetch_assoc()) {
echo $row['password'].' '.trim( urldecode( $_POST['password'] ) ).'<br />';
if( $row['password']===trim( urldecode( $_POST['password'] ) ) ){
echo "--Match!--";
}
}
}
mysqli_close( $link );