MySqli登录系统 - 在验证哈希密码时遇到麻烦

时间:2016-07-13 00:09:41

标签: php mysqli

我一直试图解决这个问题好几天了。出于某种原因,每当我尝试使用它时,密码都是错误的。我认为这可能是一个数据库问题,但我已经显示了数据库中的哈希密码。我希望我能解决这个问题。(我知道我可以简化其中的一些,但我希望能够将所有内容都布置好,以便我可以想象它。)

的login.php              

    session_start();

    $output = NULL;

    function sanitize($conn, $val){
        $val = stripslashes($val);
        $val = mysqli_real_escape_string($conn, $val);
    }

    //Checks if user is already logged in
    if(!isset($_SESSION['loggedin'])){

    ?>

        <form method="POST">

            Email: <input type=TEXT name="email"><br>

            Password: <input type=PASSWORD name="password"><br>

            <input type="SUBMIT" name="submit" value="Log In"><br>

        </form>

    <?php

    }else{

    echo "You are already loged in!";

    }

    //Check Form
    if(isset($_POST['submit'])){

        //Connect to DB
        include "core/database/dbConnect.php";

        //Takes information out of feilds
        $email = $_POST['email'];
        $password = $_POST['password'];

        //sanitize input
        sanitize($conn, $email);
        sanitize($conn, $password);

        //Check if form is filled out
        if(empty($email) || empty($password)){
            $output = "Please enter all fields!";

        }else{

            $query = "SELECT * FROM users WHERE email ='$email'";
            $result = mysqli_query($conn, $query);
            $count = mysqli_num_rows($result);


            $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
            $hash = $row['password'];

            $passwordsMatch = password_verify($password, $hash);

            if($count == 0 or $passwordsMatch == false){
                $output = "Invalid email/password";

            }else{

                //User logged in sucessfully, inserting session data
                $_SESSION['loggedin'] = TRUE;
                $_SESSION['email'] = $email;
                $_SESSION['id'] = $row['id'];
                $_SESSION['username'] = $row['username'];

                header('Location: index.php');
                exit();
            }
        }
    }


    echo $output;

    ?>

register.php 

        <div class="pageContent">

    <form method="POST">

    Username:
    <input type="TEXT" name="username"><br>

    Password:
    <input type="PASSWORD" name="password"><br>

    Repeat Password:
    <input type="PASSWORD" name="rpassword"><br>

    Email Address:
    <input type="TEXT" name="email"><br>

    <input type="SUBMIT" name="submit" value="Register"><br>

    </form>

    <?php

    session_start();

    //Takes information out of feilds
    $username = $_POST['username'];
    $password = $_POST['password'];
    $rpassword = $_POST['rpassword'];
    $email = $_POST['email'];

    $output = NULL;

    function sanitize($conn, $val){
        $val = stripslashes($val);
        $val = mysqli_real_escape_string($conn, $val);
    }

    //Runs all code if Register is clicked
    if(isset($_POST['submit'])){

        //Connect to DB
        include "core/database/dbConnect.php";

        //Sanitizes input
        sanitize($conn, $username);
        sanitize($conn, $password);
        sanitize($conn, $rpassword);
        sanitize($conn, $email);

        //Query's the username for duplicates
        $usernameQuery = $conn->query("SELECT * FROM users WHERE username = '$username'");

        //Query's the email for duplicates
        $emailQuery = $conn->query("SELECT * FROM users WHERE email = '$email'");

        //Checks if all feilds are filled
        if(empty($username) OR empty($password) OR empty($rpassword) OR empty($email)){
            $output = "Please fill in all fields!";

        //Checks if username is already taken
        }elseif($usernameQuery->num_rows != 0){
            $output = "That username is already taken!";

        //Checks if password and rpassword matches
        }elseif($rpassword != $password){
            $output = "Your passwords don't match!";

        //Checks if username has more than 5 characters
        }elseif(strlen($username) < 4){
            $output = "Your username must be at least 4 characters!";

        //Checks if password has more than 5 characters
        }elseif(strlen($password) < 7){
            $output = "Your password must be at least 7 characters!";

        //Checks if email is already in use
        }elseif($emailQuery->num_rows != 0){
            $output = "The email is already in use! Do you already have an account?";

        //Checks if email is a valid email
        }elseif(filter_var($email, FILTER_VALIDATE_EMAIL) == FALSE){
            $output = "The email you have entered is not valid!";
        }else{

            //Hashing password
            $password = password_hash('$password', PASSWORD_BCRYPT, array(
                'cost' => 10
            ));

            //Insert data in DB users
            $insert = $conn->query("INSERT INTO users(username,password,email) VALUES('$username','$password','$email')");

            if($insert == TRUE){
                $output = "You account was created! Please login!";
            }else{
                $output = $error;
            }
        }
    }

    echo $output;
    ?>

dbConnect.php 

    <?php

$error = "Sorry, Somthing went wrong!";

$conn = NEW MySQLi('localhost', 'root', '', 'phplogin') or die($error);
?>

数据库设置 enter image description here

2 个答案:

答案 0 :(得分:0)

您不需要逃避或清理密码,因为它不会在sql查询中使用,并且可能会破坏密码

答案 1 :(得分:0)

我无法查看您实际扫描密码的位置,在登录时,您是否已检查过以确保您没有检查明文密码是否为哈希值?

相关问题
最新问题