我的注册脚本接受用户的密码,然后使用
PHP的password_hash函数加密密码,然后将其放入数据库.当我使用刚刚创建的用户登录时,我收到的错误是检查密码是否相同.就我而言,他们不是.当我在登录脚本中调用password_verify函数时,我做错了什么?
寄存器
if($_SERVER["REQUEST_METHOD"] == "POST"){ function secure($data){ $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return($data); } $p_num = secure($_POST["p_number"]); $first_name = secure($_POST["first_name"]); $last_name = secure($_POST["last_name"]); $email = secure($_POST["email"]); $password = secure($_POST["pw"]); $verify_password = secure($_POST["pw_verify"]); $program = secure($_POST["program"]); $role = secure($_POST["role"]); $logged_in = 0; $registered = 0; $image = "../images/profile_placeholder.png"; if($password != $verify_password){ echo "Nope. Passwords"; } else{ $registered = 1; $password = password_hash($password,PASSWORD_DEFAULT); $insert = "INSERT INTO `$user_table`(`user_id`,`first_name`,`last_name`,`password`,`image`,`email`,`program`,`role`,`logged_in`,`registered`) VALUES('" .$p_num ."','" .$first_name ."','" .$last_name ."','" .$password ."','" .$image ."','" .$email ."','" .$program ."','" .$role ."','" .$logged_in ."','" .$registered ."')"; $query = MysqLi_query($connect,$insert); echo "Success!"; } }
if($_SERVER["REQUEST_METHOD"] == "POST"){ $p_num = $_POST["username"]; $pwd = $_POST["password"]; $query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'"; $result = MysqLi_query($connect,$query); while($row = MysqLi_fetch_assoc($result)){ $user_id = "{$row['user_id']}"; $first_name = "{$row['first_name']}"; $last_name = "{$row['last_name']}"; $user_name = $first_name ." " .$last_name; $password = "{$row['password']}"; $image = "{$row['image']}"; $email = "{$row['email']}"; $program = "{$row['program']}"; $role = "{$row['role']}"; $status = "{$row['logged_in']}"; $registered = "{$row['registered']}"; if(($user_id == $p_num) && (password_verify($pwd,$password))){ $_SESSION["id"] = $user_id; $_SESSION["user"] = $user_name; $_SESSION["program"] = $program; $_SESSION["pass"] = $password; $_SESSION["image"] = $image; $_SESSION["email"] = $email; $_SESSION["role"] = $role; $_SESSION["status"] = $status; $_SESSION["registered"] = $registered; $loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'"; } var_dump($pwd); var_dump($password); }
这是我在做var_dump时得到的:
string(1) "1" string(16) "$2y$10$0aysCso3b"
很明显,密码没有匹配在一起.因此,在注册脚本上,密码被散列并发送到数据库.然后,当用户登录时,登录脚本会查看用户输入的用于登录的密码,然后使用password_verify将其与数据库中的哈希密码进行对比.但是,散列密码不接受未散列的密码作为匹配.我不明白的是,为什么?
这是我用于password_hash和password_verify的内容.按照书面形式进行试用,然后您可以在成功后开始添加其余代码.
原文链接:https://www.f2er.com/php/133741.htmlN.B.:这是一种基本的插入方法.我建议你改用prepared statements.
旁注:密码列需要足够长以容纳散列VARCHAR(255).请参阅“脚注”.
INSERT文件
<?PHP $DB_HOST = 'xxx'; $DB_USER = 'xxx'; $DB_PASS = 'xxx'; $DB_NAME = 'xxx'; $conn = new MysqLi($DB_HOST,$DB_USER,$DB_PASS,$DB_NAME); if($conn->connect_errno > 0) { die('Connection Failed [' . $conn->connect_error . ']'); } $password = "rasmuslerdorf"; $first_name = "john"; $password = password_hash($password,PASSWORD_DEFAULT); $sql = "INSERT INTO users (`name`,`password`) VALUES ('" .$first_name ."','" .$password ."')"; $query = MysqLi_query($conn,$sql); if($query) { echo "Success!"; } else{ // echo "Error"; die('There was an error running the query [' . $conn->error . ']'); }
<?PHP // session_start(); $DB_HOST = 'xxx'; $DB_USER = 'xxx'; $DB_PASS = 'xxx'; $DB_NAME = 'xxx'; $conn = new MysqLi($DB_HOST,$DB_NAME); if($conn->connect_errno > 0) { die('Connection Failed [' . $conn->connect_error . ']'); } $pwd = "rasmuslerdorf"; $first_name = "john"; //$sql = "SELECT * FROM users WHERE id = 1"; $sql = "SELECT * FROM users WHERE name='$first_name'"; $result = $conn->query($sql); if ($result->num_rows === 1) { $row = $result->fetch_array(MysqLI_ASSOC); if (password_verify($pwd,$row['password'])) { //Password matches,so create the session // $_SESSION['user'] = $row['user_id']; // header("Location: http://www.example.com/logged_in.PHP"); echo "Match"; }else{ echo "The username or password do not match"; } } MysqLi_close($conn);
脚注:
密码列应足够长以容纳哈希值. 72长是哈希在字符长度上产生的,但是手册建议255.
参考:
> http://php.net/manual/en/function.password-hash.php
“Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason,the length of the result from using this identifier can change over time. Therefore,it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).”