在我的 register.php 中,我使用此代码制作哈希密码:
$user_pass = $_POST['user_pass'];
$hash = password_hash($user_pass, PASSWORD_DEFAULT);
我想在db中验证密码哈希,但我不知道如何正确使用password_verify。这是我登录的login.php脚本
的login.php
<?php
include('Global/global.inc.php');
if(isset($_SESSION['user_name'])!='') {
header("Location: index.php");
}
include('Global/view/view.login.php');
//check if form is submitted
if (isset($_POST['signin'])) {
$user_name = mysqli_real_escape_string($connect, htmlspecialchars($_POST['user_name']));
$user_pass = mysqli_real_escape_string($connect, htmlspecialchars($_POST['user_pass']));
$result = mysqli_query($connect, "SELECT * FROM `" . USERS_TABLE . "` WHERE user_name = '$user_name' AND user_pass = '$user_pass'");
if (empty($user_name) || empty($user_pass)) {
echo "empty fields";
}
if ($row = mysqli_fetch_array($result)) {
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['user_avatar'] = $row['user_avatar'];
$_SESSION['user_mail'] = $row['user_mail'];
header("Location: index.php");
}
else {
echo 'Invalid Username or Password!<br />';
}
}
答案 0 :(得分:0)
来自手册http://php.net/manual/en/function.isset.php
isset - 确定变量是否已设置且不是NULL
isset()会返回bool true or false您应该只有
if (isset($_SESSION['username']))
使用password_verify();
http://php.net/manual/en/function.password-verify.php
例如
<?php
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify($password, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>
答案 1 :(得分:0)
我编辑了你的代码,并添加了一些评论,以明确希望它有所帮助
if( isset($_SESSION['user_name']) ) {
header("Location: index.php");
}
include('Global/view/view.login.php');
//check if form is submitted
if (isset($_POST['signin'])) {
$user_name = mysqli_real_escape_string($connect, htmlspecialchars(trim($_POST['user_name'])));
$user_pass = trim($_POST['password']); // trim deletes spaces from left and right password doesn't need sanitization
//check fields
if (empty($user_pass) || empty ($user_name) ) {
echo "empty fields";
}
elseif ($result = mysqli_query($connect,$sql)){
// check username if it exists procceds to password checking
if (mysqli_num_rows($result) > 0 ){
$row = mysqli_fetch_assoc($result);
$hashedpassword = $row["password"];
//check password if username exists
if (password_verify($password, $hashedpassword))
{
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['user_avatar'] = $row['user_avatar'];
$_SESSION['user_mail'] = $row['user_mail'];
header("Location: index.php");
}
} else {
echo 'Invalid Username or Password!<br />';
} } else {
echo 'Invalid Username or Password!<br />';
}
}
答案 2 :(得分:0)
如果要使用数据库哈希密码检查登录密码,请将登录密码转换为哈希并比较它们。那就是:
$user_pass = password_hash($user_pass, PASSWORD_DEFAULT);
$result = mysqli_query($connect, "SELECT * FROM `" . USERS_TABLE . "` WHERE user_name = '$user_name' AND user_pass = '$user_pass'");
if (empty($user_name) || empty($user_pass)) {
echo "empty fields";
}
if ($row = mysqli_fetch_array($result)) {
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['user_avatar'] = $row['user_avatar'];
$_SESSION['user_mail'] = $row['user_mail'];
header("Location: index.php");
}
else {
echo 'Invalid Username or Password!<br />';
}
}