1. 首页
  2. 问答
  3. MySql Password_verify()不起作用?

MySql Password_verify()不起作用?

2015-07-11 63 views
1

在注册期间,用户的密码作为加密的BCRYPT密码保存在数据库中。MySql Password_verify()不起作用?

我的问题是:为什么我不能用输入的密码验证加密的数据库密码?

CODE:

<?php      //POST VARIABLES 
        $submit = $_POST['login_submit']; 
        $username = $_POST['login_username']; 
        $password = $_POST['login_password']; 
        $email = $_POST['login_email']; 

require 'password_config.php'; 
if(isset($submit)){ 
require 'db/connect.php'; 
//PASSWORD VERIFYING 
$pass_query = "SELECT password FROM users WHERE email='$email'"; 
$queried = mysql_query($pass_query); 
while($row = mysql_fetch_array($queried)){ 
$user_pass = $row['password']; 
$veri_password = password_verify($password, $user_pass); 
} 

//CHECKING NUM ROWS 
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'"; 
$entered_user = mysql_query($sql); 
$num_rows = mysql_num_rows($entered_user); 


//ERRS ARRAY DECLARED 
$errors = array(); 

//FURTHER VERIFYING 
if($num_rows != 1) 
{ 
$errors[] = '-Account does not exist '; 
} 
elseif($num_rows == 1) 
{ 
session_start(); 
while($row = mysql_fetch_array($entered_user)){ 
$_SESSION['key'] === true; 
$_SESSION['id'] = $row['id']; 
$_SESSION['email'] = $email; 
$_SESSION['user'] = $row['username']; 
$_SESSION['pass'] = $password; 
header('Location: profile.php'); 
exit(); 
} 
} 
} 
?>

我收到一个错误,指出“账号不存在”甚至当我输入有效的信息。

感谢, -Eugene

编辑更改为此:

 <?php      //POST VARIABLES 
          $submit = $_POST['login_submit']; 
          $username = $_POST['login_username']; 
          $password = $_POST['login_password']; 
          $email = $_POST['login_email']; 

    require 'password_config.php'; 
    if(isset($submit)){ 
    require 'db/connect.php'; 
    //PASSWORD VERIFYING 
    $pass_query = "SELECT password FROM users WHERE email='$email'"; 
    $queried = mysql_query($pass_query); 
    while($row = mysql_fetch_array($queried)){ 
    $user_pass = $row['password']; 
    $veri_password = password_verify($password, $user_pass); 
    } 
    if($veri_password === true){ 
    //CHECKING NUM ROWS 
     $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'"; 
     $entered_user = mysql_query($sql); 
     $num_rows = mysql_num_rows($entered_user); 


    //ERRS ARRAY ESTABLISHED 
     $errors = array(); 

    //FURTHER VERIFYING 
     if($num_rows != 1) 
     { 
     $errors[] = '-Account does not exist '; 
     } 
     elseif($num_rows == 1) 
     { 
     session_start(); 
     while($row = mysql_fetch_array($entered_user)){ 
     $_SESSION['key'] === true; 
     $_SESSION['id'] = $row['id']; 
     $_SESSION['email'] = $email; 
     $_SESSION['user'] = $row['username']; 
     $_SESSION['pass'] = $password; 
     header('Location: profile.php'); 
     exit(); 
     } 
     } 
     } 
    } 
    ?>

来源

2015-07-11 Eugene Stamp

+0

您的代码很容易受到SQL注入 – Ormoz

+1

你为什么做用'$ veri_password = password_verify($密码,$ user_pass)结果第二选择;' ....''password_verify()'返回一个布尔值,告诉你密码是否有效.....它不会返回一个字符串值用于后续查询中使用的密码 –

+0

愚蠢的问题家伙,我意识到我的错误,不需要进一步的答案 –

回答

2

变化:

$sql = "SELECT id, username FROM users WHERE email='$email'";

而且改变:

$veri_password = password_verify($password, $user_pass); 


if(!password_verify($password, $user_pass)){ 
    echo 'invalid password'; 
    exit; 
}

无论如何,你的代码很容易被sql注入。请考虑在您的查询中使用准备好的语句或使用mysql_real_escape_string转义输入字符串。 。并且还建议使用mysqlipdo,而不是程序方法

来源

2015-07-11 13:00:52 Ormoz

相关问题

 相关问题