[英]password_verify returning false for correct password from Database
I'm creating a login form for a site. 我正在为网站创建登录表单。 The validation worked fine prior to me trying to incorporate security with PHPs built in password_hash() and password_verify() fucntions.
在尝试将安全性与password_hash()和password_verify()功能内置的PHP合并在一起之前,验证工作正常。 I'm using the bcrypt algorithm for encryption with said functions.
我正在使用bcrypt算法通过上述功能进行加密。
The issue is that when the correct username and password are entered into the login form password_verify returns false and as such the validation is unsuccessful, preventing login. 问题是,在登录表单中输入正确的用户名和密码后,password_verify返回false,因此验证失败,从而阻止了登录。 I've done a great deal of searching around but have not found any solutions that sort this.
我已经做了很多搜索,但是还没有找到解决此问题的解决方案。 The below code (admin_login.php) manages both the login form and processes the login as well.
下面的代码(admin_login.php)管理登录表单并同时处理登录。
I'm including my code and also a screenshot of the structure of my MySQL 'login' table within the phpmyadmin control panel. 我包括我的代码,以及phpmyadmin控制面板中MySQL“登录”表的结构的屏幕截图。
Thanks in advance. 提前致谢。
(Being new I don't have the rep to post images so here's a gyazo link: http://gyazo.com/a423e5ba38fe5200a8198b47a66fe75a ) (作为新手,我没有发布图像的代表,因此,这里有一个gyazo链接: http ://gyazo.com/a423e5ba38fe5200a8198b47a66fe75a)
<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if (isset($_SESSION['id']) && $_SESSION['admin'] == 1) {
$userID = $_SESSION['id'];
$username = $_SESSION['username'];
header('Location:admin_panel.php');
}
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
// VALIDATES LOGIN CREDENTIALS //
/* $verify = password_verify('123', $trimmed);
var_dump($password);
var_dump($dbPassword);
var_dump($verify); */
// checks if user is valid in database and admin
if ($username == $dbUsername AND $verify && $admin = 1) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
?>
<?php
$pageTitle = "Casa Mirador | Admin";
include_once('inc/header.php');
?>
<h2 style="text-align: center;">Admin Login</h2>
<div class="login_section_one">
<div class="wrapper">
<!-------- ADMIN LOGIN FORM ---------->
<form method="POST" action="admin_login.php" id="admin_form">
<table class="form_login">
<tr>
<th>
<label for = "username"> Username </label>
</th>
<td>
<input type="text" name="username" id="username">
</td>
</tr>
<tr>
<th>
<label for = "password"> Password </label>
</th>
<td>
<input type="password" name="password" id="password">
</td>
</tr>
</table>
<input type="submit" id="submit" name="submit" value="Login">
</form>
</div>
<?php
include_once('inc/footer.php');
?>
In this code snipped there is no $verify
variable defined, it is commented out, so this conditional statement goes to 'else' section. 在这段代码中,没有定义
$verify
变量,将其注释掉,因此该条件语句转到“ else”部分。 Also $dbUsername
always equals to $username
, because that's in your WHERE clause in your $sql
- so you don't need to check that again. 同样,
$dbUsername
始终等于$username
,因为它位于$sql
WHERE子句中-因此您无需再次检查。
Another thing: you omitted one =
character - change 另一件事:您省略了一个
=
字符-更改
if ($username == $dbUsername AND $verify && $admin = 1) {
to 至
if ($username == $dbUsername AND $verify && $admin == 1) {
you assigned 1 to $admin
instead of checking if $admin == 1 您将1分配给
$admin
而不是检查$ admin == 1
This should work. 这应该工作。
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
$verify = password_verify($_POST['password'], $dbPassword); // This should work
if ( $verify ) { // You don't need to check username and is admin, because this is done in the query to the database.
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
Why isn't mine working? 为什么我的不工作? It goes to "incorrect password combination" even though the password is correct.
即使密码正确,也会转到“密码组合错误”。
function vertifyPass($userEmail, $userPass)
{
$sqlStatement = "SELECT user_pass FROM user WHERE user_email = :userEmail";
$preparedStatement = $this->db->prepare($sqlStatement);
$preparedStatement->bindParam(':userEmail', $userEmail);
if($preparedStatement->execute())
{
$userData = $preparedStatement->fetch();
$vertify = password_verify($userPass, $userData['user_pass']);
if($vertify)
{
session_start();
$_SESSION['user_email'] = $userEmail;
header('Location: /profile.php');
}
else
{
echo "The username and password combinations was incorrect.";
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.