1. 首页
  2. 问答
  3. password_hash()不起作用

password_hash()不起作用

2016-03-01 45 views
1

任何人都可以请指导我在哪里做错了。密码散列工作正常,并存储在我的数据库中,但当我尝试使用真实密码(如123)登录时,它不会将我登录。谢谢!password_hash()不起作用

<?php 
     // registration script 
     if (isset($_POST['submit'])) { 

      $user_name = $_POST['username']; 
      $user_email = $_POST['email']; 
      $user_pass = $_POST['password']; 

      $query = "SELECT * FROM users where Email = '" . $_POST["email"] . "'"; 
      $result = $obj->run_query($query); 

      if ($count = mysqli_num_rows($result) == 0) { 

       $query = "INSERT INTO users (Name, Email, Pass) VALUES('" . $user_name . "', '" . $user_email . "', '" . password_hash($user_pass, PASSWORD_DEFAULT) . "')"; 
       $result = $obj->run_query($query); 

       echo "<script>alert('You have successfully Registered!')</script>"; 
       echo "<script>window.open('welcome.php','_self')</script>"; 

      } else { 

       echo "<script>alert('This user email $user_email is already exist!')</script>"; 
      } 
     } 

    // login script 
    if (isset($_POST['login'])) { 

     $name = $_POST['name']; 
     $email = $_POST['email']; 
     $password = password_hash($_POST['pass'], PASSWORD_DEFAULT); 


     $query = "SELECT * FROM users WHERE Email = '$email' AND Pass = '$password'"; 
     $result = $obj->run_query($query); 

     if ($count = mysqli_num_rows($result) > 0) { 

      $_SESSION['email'] = $email; 
      $_SESSION['name'] = $name; 

      echo "<script>window.open('welcome.php','_self')</script>"; 

     } else 

     { 
      echo "<script>alert('Your email or password is incorrect!')</script>"; 
     } 

    } 

?>

来源

2016-03-01 Aisha Salman

+0

没有password_hash的'提()'在你的代码的任何地方,并说somethng是“给出错误“而不告诉我们错误是无用的。还阅读了SQL注入攻击和预防它。 – PeeHaa

+1

[password_verify()](http://www.php.net/manual/en/function.password-verify.php)函数用于将用户输入的明文密码与存储的散列密码进行比较,在PHP文档中描述.....你不用哈希用户eneterd密码并比较哈希值,它根本无法作为password_hash()在每次调用时唯一地去除值 –

+1

因此,您的登录检查代码应该被检索来自'users'表的记录仅使用电子邮件地址,然后使用password_verify将用户输入的密码与该SQL查询检索的密码哈希进行比较 –

回答

2

你需要自行解决SQL注入的问题,这是简单地演示如何使用password_verify()

// login script 
if (isset($_POST['login'])) { 

    $name = $_POST['name']; 
    $email = $_POST['email']; 
    $password = $_POST['pass']; 


    $query = "SELECT * FROM users WHERE Email = '$email'"; 
    $result = $obj->run_query($query); 

    if ($count = mysqli_num_rows($result) > 0) { 
     $row = $result->fetch_object(); 
     if (password_verify($password, $row->Pass)) { 
      $_SESSION['email'] = $email; 
      $_SESSION['name'] = $name; 

      echo "<script>window.open('welcome.php','_self')</script>"; 
     } else { 
      echo "<script>alert('Your email or password is incorrect!')</script>"; 
     } 
    } else { 
     echo "<script>alert('Your email or password is incorrect!')</script>"; 
    } 

}

来源

2016-03-01 12:11:15

+0

非常感谢!你解决了我的问题:) @Mark Ba​​ker –

+1

@AishaSalman正如我所提到的,记住你的脚本是开放给SQL注入的。我可以很容易地尝试与每一个用户一起登录,而不需要通过使用“email”或“OR 1 = 1 LIMIT 0,1-”为第一个用户,“OR 1 = 1 LIMIT 1,1” - 为第二个用户等。 – h2ooooooo

+0

好吧!谢谢@ h2ooooooo –

1

这可不行:

$query = "INSERT INTO users (Name,Email,Pass) VALUES ('$user_name','$user_email', md5('$user_pass'))";

试试这个:

$query = "INSERT INTO users (Name, Email, Pass) VALUES('" . $user_name . "', '" . $user_email . "', '" . password_hash($user_pass, PASSWORD_DEFAULT) . "')";

password_hash功能是给你用BCRYPT算法加密后的哈希值。看到这里:http://php.net/manual/en/function.password-hash.php

这很容易受到SQL注入。你应该仔细阅读如何预防它们。搜索'参数化查询'!

来源

2016-03-01 11:05:54

+0

嘿,我做了同样的事,但没有登录:/ @Ferhat Sayan –

+1

看看这里:http://php.net/manual/en/function.password-verify.php –

+0

你能改正我的代码吗?因为我不知道如何在编码中实现这一点? @Ferhat Sayan –

相关问题

 相关问题