[英]MySqli Login System - Having Troubles With Verifying Hashed Password
I have been trying to figure out this problem for days now. 我已经试图解决这个问题好几天了。 For some reason, whenever I try to use this, The password goes thru as wrong. 出于某种原因,每当我尝试使用它时,密码都是错误的。 Im thinking that this might be a database issue, but I have displayed the hash password from the database. 我认为这可能是一个数据库问题,但我已经显示了数据库中的哈希密码。 I hope I can resolve this.(I know I can simplify some of this, but I like to have everything laid out so I can visualize it.) 我希望我能解决这个问题。(我知道我可以简化其中的一些,但我喜欢将所有内容都布置好,以便我可以想象它。)
login.php 的login.php
session_start();
$output = NULL;
function sanitize($conn, $val){
$val = stripslashes($val);
$val = mysqli_real_escape_string($conn, $val);
}
//Checks if user is already logged in
if(!isset($_SESSION['loggedin'])){
?>
<form method="POST">
Email: <input type=TEXT name="email"><br>
Password: <input type=PASSWORD name="password"><br>
<input type="SUBMIT" name="submit" value="Log In"><br>
</form>
<?php
}else{
echo "You are already loged in!";
}
//Check Form
if(isset($_POST['submit'])){
//Connect to DB
include "core/database/dbConnect.php";
//Takes information out of feilds
$email = $_POST['email'];
$password = $_POST['password'];
//sanitize input
sanitize($conn, $email);
sanitize($conn, $password);
//Check if form is filled out
if(empty($email) || empty($password)){
$output = "Please enter all fields!";
}else{
$query = "SELECT * FROM users WHERE email ='$email'";
$result = mysqli_query($conn, $query);
$count = mysqli_num_rows($result);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$hash = $row['password'];
$passwordsMatch = password_verify($password, $hash);
if($count == 0 or $passwordsMatch == false){
$output = "Invalid email/password";
}else{
//User logged in sucessfully, inserting session data
$_SESSION['loggedin'] = TRUE;
$_SESSION['email'] = $email;
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
header('Location: index.php');
exit();
}
}
}
echo $output;
?>
register.php register.php
<div class="pageContent">
<form method="POST">
Username:
<input type="TEXT" name="username"><br>
Password:
<input type="PASSWORD" name="password"><br>
Repeat Password:
<input type="PASSWORD" name="rpassword"><br>
Email Address:
<input type="TEXT" name="email"><br>
<input type="SUBMIT" name="submit" value="Register"><br>
</form>
<?php
session_start();
//Takes information out of feilds
$username = $_POST['username'];
$password = $_POST['password'];
$rpassword = $_POST['rpassword'];
$email = $_POST['email'];
$output = NULL;
function sanitize($conn, $val){
$val = stripslashes($val);
$val = mysqli_real_escape_string($conn, $val);
}
//Runs all code if Register is clicked
if(isset($_POST['submit'])){
//Connect to DB
include "core/database/dbConnect.php";
//Sanitizes input
sanitize($conn, $username);
sanitize($conn, $password);
sanitize($conn, $rpassword);
sanitize($conn, $email);
//Query's the username for duplicates
$usernameQuery = $conn->query("SELECT * FROM users WHERE username = '$username'");
//Query's the email for duplicates
$emailQuery = $conn->query("SELECT * FROM users WHERE email = '$email'");
//Checks if all feilds are filled
if(empty($username) OR empty($password) OR empty($rpassword) OR empty($email)){
$output = "Please fill in all fields!";
//Checks if username is already taken
}elseif($usernameQuery->num_rows != 0){
$output = "That username is already taken!";
//Checks if password and rpassword matches
}elseif($rpassword != $password){
$output = "Your passwords don't match!";
//Checks if username has more than 5 characters
}elseif(strlen($username) < 4){
$output = "Your username must be at least 4 characters!";
//Checks if password has more than 5 characters
}elseif(strlen($password) < 7){
$output = "Your password must be at least 7 characters!";
//Checks if email is already in use
}elseif($emailQuery->num_rows != 0){
$output = "The email is already in use! Do you already have an account?";
//Checks if email is a valid email
}elseif(filter_var($email, FILTER_VALIDATE_EMAIL) == FALSE){
$output = "The email you have entered is not valid!";
}else{
//Hashing password
$password = password_hash('$password', PASSWORD_BCRYPT, array(
'cost' => 10
));
//Insert data in DB users
$insert = $conn->query("INSERT INTO users(username,password,email) VALUES('$username','$password','$email')");
if($insert == TRUE){
$output = "You account was created! Please login!";
}else{
$output = $error;
}
}
}
echo $output;
?>
dbConnect.php dbConnect.php
<?php
$error = "Sorry, Somthing went wrong!";
$conn = NEW MySQLi('localhost', 'root', '', 'phplogin') or die($error);
?>
DB Setup enter image description here 数据库设置 在此输入图像描述
你不需要逃避或消毒你的密码,因为它不会在sql查询中使用它可能会破坏密码
我无法看到你在哪里实际扫描密码,在登录中,你是否检查过以确保你没有检查明文密码是否为哈希值?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.