函数password_verify()应返回true时返回false

时间:2019-03-28 21:06:41

标签: php login

我正在为我的学校的比赛创建一个项目。我已经正确完成了注册部分。当涉及到登录部分时,我做错了。我尝试在其他许多方面查找问题网站,但找不到它。即使我在函数中输入密码,该函数也会返回false。

我尝试使用password_BCRYPT(从$ _POST ['password']中获得的密码)进行哈希处理,然后使用hash_equals()将其与数据库中的密码进行比较,但是没有用

这是login.php 编辑:我忘了添加register.php和file_db.php。对不起!

<?php
require "file_db.php";
$email= $mysqli->escape_string($_POST['email']);
echo $_POST['email'];
$result= $mysqli->query("SELECT *FROM users WHERE email='$email'");
if($result->num_rows == 0) {
    $SESSION['message']="Nu exista niciun utilizator cu acel email";
    header("location:error.php");
} else {
    $user=$result->fetch_assoc();
    $hash=substr($user['password'],0,60);
    if(password_verify($_POST['password'],$hash)) {
        $_SESSION['email']=$user['email'];
        $_SESSION['firstname']=$user['firstname'];
        $_SESSION['lastname']=$user['lastname'];
        $_SESSION['active']=$user['active'];
        $_SESSION['loggedin']=true;
        echo $_SESSION['loggedin'];
        echo 1;
    } else{
        $_SESSION['message']="Ai introdus o parola gresita!";
    }
}
?>

<?php
require "file_db.php";

$firstname = $mysqli->escape_string($_POST['firstname']);
$lastname = $mysqli->escape_string($_POST['lastname']);
$email = $mysqli->escape_string($_POST['email']);
$password =$mysqli->escape_string(password_hash($_POST['password'],PASSWORD_BCRYPT));
$hash = $mysqli->escape_string(md5(rand(0,1000) ) );

$_SESSION['email']=$_POST['email'];
$_SESSION['firstname']=$_POST['firstname'];
$_SESSION['lastname']=$_POST['lastname'];

$result = $mysqli->query("SELECT * FROM users WHERE email ='$email' ") or die($mysqli->error());

if($result->num_rows > 0)
{
    $_SESSION['message']='Exista un utilizator cu acest email deja!';
    header("location:error.php");
}
else{
    $sql="INSERT INTO users (firstname,lastname,email,password,hash)".
        "VALUES('$firstname','$lastname','$email','$password','$hash')";
    if( $mysqli->query($sql) )
    {
        $_SESSION['active']=0;
        $_SESSION['message']="Link  de confirmare a fost trimis la $email, te rugam sa iti verifici contul accesand link-ul trimis in email!";

        $to = $email;
        $subject='Account Verification';
        $messageb='
        Salut'.$firstname.',
        Multumim pentru ca te-ai inscris!
        Apasa pe acest link pentru a-ti activa contul:
        https://localhost/aWEBDEVFII/verify.php?email='.$email.'&hash'.$hash;
        mail($to, $subject, $messageb);

        header("location:success.php");
    }
    else{
        $_SESSION['message']='Inregistrarea a intampinat o eroare!';
        header("location: error.php");
    }
}
?>
``````




<?php
session_start();
$host='localhost';
$user='root';
$pass='';
$db='filesdb';
$mysqli= new mysqli($host,$user,$pass,$db) or die($mysqli->error);
?>

1 个答案:

答案 0 :(得分:0)

首先,为什么要将substr()函数应用于散列密码

substr()函数用于从字符串的指定位置等处剪切字符串的一部分。

如果要检查输入密码的长度,应使用strlen() 如果密码长度超过60,则向用户返回一条消息

if (strlen($password)<60) {
  echo "less than 60";
}
else
if (strlen($password)>40) {
  echo "more than 60";
}
else {
  echo "exactly 60";
}

要使用password_verify(),您应该能够在注册过程中首先对用户密码进行哈希处理 通过password_hash()函数。例如

 $password ='nancymore12344444';
 $options = array("cost"=>4);
 $hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);

同样,这将是您的登录脚本中的问题,因为我没有看到您是否通过session_start()初始化会话

请尝试下面的代码,同时确保已放置数据库凭据和所有表列。你会没事的

所以您的注册php看起来像

<?php
//require "file_db.php"; 
$conn = mysqli_connect("localhost","root","","demo");

if(!$conn){
    die("Connection error: " . mysqli_connect_error()); 
}

if(isset($_POST['submit'])){
        $firstName = mysqli_real_escape_string($conn,$_POST['first_name']);
        $surName = mysqli_real_escape_string($conn,$_POST['surname']);
        $email  = mysqli_real_escape_string($conn,$_POST['email']);
        $password = mysqli_real_escape_string($conn,$_POST['password']);

        $options = array("cost"=>4);
        $hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);

        $sql = "insert into users (first_name, last_name,email, password) value('".$firstName."', '".$surName."', '".$email."','".$hashPassword."')";
        $result = mysqli_query($conn, $sql);
        if($result)
        {
            echo "Registration successfully";
        }
    }
?>

您的登录名

<?php 
//require "file_db.php";
$conn = mysqli_connect("localhost","root","","demo");

if(!$conn){
    die("Connection error: " . mysqli_connect_error()); 
}
if(isset($_POST['submit'])){
    $email = mysqli_real_escape_string($conn,$_POST['email']);
    $password = mysqli_real_escape_string($conn,$_POST['password']);

    $sql = "select * from users where email = '".$email."'";
    $rs = mysqli_query($conn,$sql);
    $numRows = mysqli_num_rows($rs);

    if($numRows  == 1){
        $row = mysqli_fetch_assoc($rs);
        if(password_verify($password,$row['password'])){
            echo "Password verified and ok";

// initialize session if things where ok.


session_start();
session_regenerate_id();

$_SESSION['surname'] = $row['surname'];
$_SESSION['first_name'] = $row['first_name'];
$_SESSION['email'] = $row['email'];

// take me to welcome.php page
header('Location: welcome.php');

        }
        else{
            echo "Wrong Password details";
        }
    }
    else{
        echo "User does not exist";
    }
}

?>
相关问题
最新问题