无法将用户输入到password_verify()
[英]Can't get user input in to password_verify()
问题描述
here is the login code, I'm trying to get password verify to work but It doesn't want to. 
这是登录代码,我正在尝试让密码验证工作,但它不想。 It seems like this count($sql->fetchAll()) > 0 is the problem or that I am calling the wrong variable to the password_verify() . 看起来这个count($sql->fetchAll()) > 0是问题,或者我正在调用password_verify()的错误变量。
$signup = isset($_POST['signup'] ) ? $_POST['signup'] : false;
$submit = isset( $_POST['submit'] ) ? $_POST['submit'] : false;
$username = isset( $_POST['username'] ) ? $_POST['username'] : false;
$password = isset( $_POST['password'] ) ? $_POST['password'] : false;
if( $submit && $username && $password ) {
$sql = $DB_con->prepare( "SELECT * FROM users WHERE user_name=:user_name AND user_pass=:user_pass" );
$sql->bindParam( ':user_name', $username, PDO::PARAM_STR );
$sql->bindParam( ':user_pass', $password, PDO::PARAM_STR );
$check_user=$sql->fetch(PDO::FETCH_ASSOC);
$success = $sql->execute();
$verify = password_verify($password, check_user['user_pass']);
// Successfully logged in!
if($success && count($sql->fetchAll()) > 0 && $verify) {
$_SESSION['logged_in'] = true;
// Unset errors
unset($_SESSION['error']);
}
else {
// display an error
$_SESSION['error'] = 'That user doesn\'t exist';
}
}
else {
//displays error
$_SESSION['error'] = 'Please enter all fields';
}
if($signup) {
header('Location: signup.php');
}
exit;
Here is the signup code 这是注册码
function register($uname,$umail,$upass)
{
$DB_con = null;
try
{
$DB_con = new PDO("mysql:host=$host;dbname=$dbname", "$username" ,"$password");
$DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e)
{
echo $e->getMessage();
}
try
{
$new_password = password_hash($upass, PASSWORD_DEFAULT);
$stmt = $DB_con->prepare("INSERT INTO users(user_name,user_email,user_pass)
VALUES(:uname, :umail, :upass)");
$stmt->bindparam(":uname", $uname);
$stmt->bindparam(":umail", $umail);
$stmt->bindparam(":upass", $new_password);
$stmt->execute();
return $stmt;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
1 个解决方案
解决方案1
0 已采纳 2017-03-27 02:33:19
There are several things that needs to be cleaned up with this piece of code. 使用这段代码需要清理几件事。
Let's start with your register() function. 让我们从register()函数开始。 There's a clear syntax-error here (where you make the connection), the ""$password" . Then that function don't know what $dbname , $username or $password are (for the connection), these variables aren't in the scope of the function (it can see it). Usually it's better to pass the connection object as a parameter, not create a new object for each time you call the register() function. Modified for that and cleaned a bit, it would look like this 这里有一个明确的语法错误(你在哪里建立连接), ""$password" 。然后那个函数不知道$dbname , $username或$password是什么(对于连接),这些变量不是在函数的范围内 (它可以看到它)。通常最好将连接对象作为参数传递,而不是每次调用register()函数时都创建一个新对象。为此修改并清理了一下,它看起来像这样
function register($DB_con, $uname ,$umail, $upass) {
try {
$new_password = password_hash($upass, PASSWORD_DEFAULT);
$stmt = $DB_con->prepare("INSERT INTO users (user_name, user_email, user_pass)
VALUES (:uname, :umail, :upass)");
$stmt->bindparam(":uname", $uname);
$stmt->bindparam(":umail", $umail);
$stmt->bindparam(":upass", $new_password);
return $stmt->execute();
} catch(PDOException $e) {
echo $e->getMessage();
}
}
and be used like 并被用作
register($DB_con, 'Nader', 'example@example.com', 'pa$$w0rd'); // True or false
Then onto your sign-in. 然后进入你的登录。 This is a little messy, and you're doing a few things wrong. 这有点乱,你做错了。 What I've found so far is... 到目前为止我发现的是......
- Fetching after execution 执行后获取
- Selecting
WHEREthe unhashed password is equal to the hashed one (won't return any rows)选择WHERE未使用的密码等于哈希密码(不会返回任何行) -
count($sql->fetchAll()) > 0will be zero, because you already fetched once, and there will only be one user => this means one row.count($sql->fetchAll()) > 0将为零,因为您已经获取了一次,并且只有一个用户=>这意味着一行。 Fetching one means there are no more to fetch, sofetchAll()is empty!获取一个意味着没有更多要获取,所以fetchAll()是空的! - You don't need to do any more checks than
if ($check_user=$sql->fetch())to check if there are rows您不需要再执行任何检查if ($check_user=$sql->fetch())来检查是否有行
Corrected and accounted for the points above, your code would look something like this 更正并计算了上述各点,您的代码看起来像这样
$signup = isset($_POST['signup']) ? $_POST['signup'] : false;
$submit = isset($_POST['submit']) ? $_POST['submit'] : false;
$username = isset($_POST['username']) ? $_POST['username'] : false;
$password = isset($_POST['password']) ? $_POST['password'] : false;
if ($submit && $username && $password) {
$sql = $DB_con->prepare("SELECT * FROM users WHERE user_name=:user_name");
$sql->bindParam(':user_name', $username, PDO::PARAM_STR);
$sql->execute();
if ($check_user=$sql->fetch(PDO::FETCH_ASSOC)) {
if (password_verify($password, $check_user['user_pass'])) {
$_SESSION['logged_in'] = true;
// Unset errors
unset($_SESSION['error']);
} else {
// Invalid password
}
} else {
// No user with that username
}
} else {
//displays error
$_SESSION['error'] = 'Please enter all fields';
}
if ($signup) {
header('Location: signup.php');
}
exit;
This assumes unique usernames in the DB 这假定数据库中有唯一的用户名
There might be more issues which I can't see, which is why you should enable error-reporting by adding 可能会有更多我无法看到的问题,这就是您应该通过添加启用错误报告的原因
<?php
error_reoprting(E_ALL);
ini_set("display_errors", 1);
at the top of your file (errors shouldn't be displayed like that in a live environment). 在文件的顶部(错误不应该像在实时环境中那样显示)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.