[英]password_verify doesn't verify hash
I hash my inserted passwords via password_hash. 我通过password_hash对插入的密码进行哈希处理。 I verify them by using password_verify.
我使用password_verify验证了它们。
However when I insert a hashed password in my database and I try to verify it, both outputs always differ from eachother. 但是,当我在数据库中插入哈希密码并尝试对其进行验证时,两个输出始终彼此不同。
my pages are as following, 我的页面如下
main_login.php (form): main_login.php(窗体):
<?php include 'header.php';?>
<body>
<form role="form" method="post" action="login.php">
<div class="form-group">
<label for="usrname">Username:</label>
<input type="text" class="form-control" name="usrname" placeholder="Enter username">
</div>
<div class="form-group">
<label for="passwrd">Password:</label>
</div>
<input type="password" class="form-control" name="passwrd" placeholder="Enter password">
<br>
<input type="checkbox">Remember Me
<br>
<br>
<button type="submit" class="btn btn-default">Submit</button>
</form>
</body>
</html>
login.php (handler): login.php(处理程序):
<?php
include 'vars.php';
include 'header.php';
$sql="SELECT * FROM members WHERE usrname='$usrname'";
$result=mysqli_query($con,$sql);
$count=mysqli_num_rows($result);
$row=mysqli_fetch_row($result);
$verify=password_verify($hash,$row[2]);
if($verify){
$_SESSION["usrname"]=$usrname;
echo "Correct";
}
else {
echo "user: " . $usrname. "<br>";
echo "pass: " . $hash. "<br>";
echo "db: " . $row[2]."<br>";
echo "Wrong Username or Password";
}
?>
vars.php: vars.php:
<?php
$h='localhost';$u='caelin';$p='****';$d='ombouwnh';
$con=mysqli_connect($h,$u,$p,$d);
$usrname=$_POST['usrname'];
$passwrd=$_POST['passwrd'];
$hash=password_hash($passwrd, PASSWORD_DEFAULT);
?>
when i try to login using username 'caca' and password 'caca' I get a different output for both, everytime i retry. 当我尝试使用用户名“ caca”和密码“ caca”登录时,每次重试时,两者都会得到不同的输出。 I can't find this particular problem on stackoverflow.
我在stackoverflow上找不到此特定问题。
TIA TIA
PS. PS。 If you need more details, ask for them
如果您需要更多详细信息,请询问他们
The function password_verify();
函数
password_verify();
takes two parameters; 有两个参数; a non-hashed input, and a stored hash to compare it to.
非哈希输入,以及与其进行比较的存储哈希。 It hashes the non-hashed input automatically to compared it to the stored version.
它会自动对未哈希的输入进行哈希处理,以将其与存储的版本进行比较。 So your initial code was re-hashing an already hashed password.
因此,您的初始代码是重新哈希一个已经哈希的密码。 Should look like this:
应该看起来像这样:
$verify=password_verify($_POST['passwrd'],$row[2]);
if($verify){
$_SESSION["usrname"]=$usrname;
echo "Correct";
}
else {
echo "user: " . $usrname. "<br>";
echo "pass: " . $hash. "<br>";
echo "db: " . $row[2]."<br>";
echo "Wrong Username or Password";
}
您重新设置了密码-只需将纯文本密码和哈希(来自db)传递给password_verify即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.