[英]Password_Verify always returns false after switching to PDO?
For some reason, Password_Verify is return false, no matter what. 由于某种原因,无论如何,Password_Verify都将返回false。 I've done a var_dump on the hash that is return from the database, and it is correct (at 60 characters).
我已经完成了从数据库返回的哈希值的var_dump,它是正确的(60个字符)。 I know that the password I am inputting is correct.
我知道我输入的密码是正确的。 And I know that this exact method worked find prior to me switching over to PDO (From what I read, PDO is more secure. Plus, I like the idea of using parametrized queries).
而且我知道在我切换到PDO之前可以找到这种确切的方法(据我了解,PDO更安全。此外,我喜欢使用参数化查询的想法)。
You can see my old code that was working (it's commented out). 您可以看到我的旧代码正在运行(已被注释掉)。 What is different about the hash returned by PDO?
PDO返回的哈希值有何不同?
<?php
/* When we have all of the input, try to login */
if(isset($_POST['id']) && isset($_POST['password'])){
/* Connect to the database */
//$dbHandle = new Database();
//$dbHandle -> connect();
/* Santitize input to prevent SQL Injection */
//$password = $dbHandle -> sanitize($_POST['password']);
//$id = $dbHandle -> sanitize($_POST['id']);
$password = $_POST['password'];
$id = $_POST['id'];
trim($password);
trim($id);
// Query the Database for the users info
$stmt = $dbHandle -> prepare("SELECT `password`, `admin`, `firstname`, `lastname` FROM users WHERE `id` = :id");
$stmt -> bindParam(":id", $id, PDO::PARAM_INT);
$stmt -> execute();
$result = $stmt -> fetch(PDO::FETCH_ASSOC);
//$result = $dbHandle -> query("SELECT `password`, `admin`, `firstname`, `lastname` FROM users WHERE `id`=$id") -> fetch_assoc();
$hash = $result['password'];
echo($hash . "<br>");
echo(var_dump($hash));
echo($password);
echo(var_dump(password_verify($password, $hash)));
/* Check to see if the user entered the correct password */
if(password_verify($password, $hash)){
//Login
$_SESSION['loggedin'] = true;
$_SESSION['admin'] = $result['admin'];
$_SESSION['name'] = $result['firstname'] . ' ' . $result['lastname'];
/* Update "lastlogin"
** Remember that SQL expects datetime's to be inside single quotes (to make it a string)
*/
$timestamp = date("Y-m-d h:i:s");
$dbHandle -> query("UPDATE `users` SET `lastlogin`='$timestamp' WHERE `id`=$id");
//Send user to home page
header('Location: home.php');
} else {
echo("
<p style='color:red;'>Wrong ID/Password</p>
");
}
}
?>
The result of all of those echos and vardumps are as follows 所有这些回声和共鸣的结果如下
Output of Script 脚本输出
Check if 检查是否
$dbHandle -> sanitize($_POST['password']);
and 和
$password = $_POST['password'];
trim($password);
produce exactly the same for your passwords. 产生与您的密码完全相同的密码。
If not: that's the problem you face. 如果不是:那就是您面临的问题。 Got nothing to do with PDO, you might have mutilated the passwords before storing the hashes ...
与PDO无关,在存储散列值之前,您可能已经破坏了密码...
If they are: the code should not fail if you use the correct password. 如果是这样:如果您使用正确的密码,则代码不应失败。
as it turns out I was calling mysqli_real_escape_string($PASSWORD, $dbHandle)
BEFORE hashing the password. 事实证明
mysqli_real_escape_string($PASSWORD, $dbHandle)
在散列密码之前mysqli_real_escape_string($PASSWORD, $dbHandle)
我正在调用mysqli_real_escape_string($PASSWORD, $dbHandle)
。 Naturally, this changed the hash value altogether. 自然,这完全改变了哈希值。
I solved this by re-inserting the password hash into the database AFTER switching over to PDO. 我通过在切换到PDO之后将密码哈希重新插入数据库来解决此问题。
THIS WAS NOT A PDO ERROR. 这不是PDO错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.