语句始终返回false
[英]The statement always return false
问题描述
I wrote this statement for the log in system and it is not working, fetch functions work properly because if I try to echo out the $hash, it looks fine but then if I try this verify statement it always returns the false even if the inputs are the same in the database, the database looks fines it has varchar(255), here's my code 
我为登录系统编写了该语句,但该语句不起作用,提取功能正常运行,因为如果我尝试回显$ hash,它看起来还不错,但是如果我尝试此验证语句,即使输入也总是返回false在数据库中是相同的,数据库看起来很好,它具有varchar(255),这是我的代码
<?php
if(isset($_POST['submit'])){
include 'database.php';
$uid = mysqli_real_escape_string($conn,$_POST['uid']);
$pass = mysqli_real_escape_string($conn,$_POST['pass']);
$query = "SELECT * FROM user WHERE username ='$uid'";
$tbl = mysqli_query($conn, $query);
if (mysqli_num_rows($tbl)>0){
$row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
$hash = $row['password'];
if (password_verify($pass, $hash)){
echo "success";
} else {
echo "log in error";
}
}
}
edit 编辑
I remove the mysqli_real_escape_string but it still return false heres the new code, I am selecting all from the database to also verify the username, so if either of the username or password in the inputs are inside the database the user will be redirected to wrong password page 我删除了mysqli_real_escape_string,但仍返回false,这里是新代码,我从数据库中选择全部以验证用户名,因此,如果输入中的用户名或密码位于数据库内部,则用户将被重定向到错误的密码页
<?php
if(isset($_POST['submit'])){
include 'database.php';
$uid = $_POST['uid'];
$pass = $_POST['pass'];
$query = "SELECT * FROM user WHERE username ='$uid'";
$tbl = mysqli_query($conn, $query);
if (mysqli_num_rows($tbl)>0){
$row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
$hash = $row['password'];
if (password_verify($pass, $hash)){
echo "success";
}
else {
echo "log in error";
}
}
}
I have a sign up page and this is where I hashed then stores it inside the database, here's my code 我有一个注册页面,这是我进行哈希处理的位置,然后将其存储在数据库中,这是我的代码
$sql = "SELECT * FROM 'user' WHERE username ='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
}
if ($resultCheck > 0) {
header("Location:.../user.add.php?the inputs are already taken");
exit();
}
else {
$hashedpass = password_hash($pwd, PASSWORD_DEFAULT);
//insert the new user to the user database
$sql = "INSERT INTO user (userID, username, password)
VALUES (NULL, '$uid', '$hashedpass');";
$result = mysqli_query($conn, $sql);
header("Location:../user.add.php?success sir");
exit();
}
1 个解决方案
解决方案1
2 2019-01-29 12:09:38
You're potentially modifying the password before comparing it: 您可能会在比较之前修改密码:
$pass = mysqli_real_escape_string($conn,$_POST['pass']);
In some cases this won't make a difference, but in some it will. 在某些情况下,这不会有所作为,但在某些情况下会有所不同。
if I try to echo out the $hash, it looks fine
It may intuitively look fine to a human as output on a web page, but does that mean the two values are binary equivalent? 对于人类来说,在网页上输出可能看起来很直观,但这是否意味着两个值是二进制等效的? Not always, and the result of the code seems to indicate exactly that. 并非总是如此,代码的结果似乎恰好表明了这一点。
Since you're not using this value in a SQL query, you don't need to escape it: 由于您不在SQL查询中使用此值,因此无需转义它:
$pass = $_POST['pass'];
Side note: You shouldn't rely on escaping input to use in a SQL query anyway. 旁注:无论如何,您都不应依赖转义输入来在SQL查询中使用。 Instead, don't use user-modifiable values as code in your query in the first place. 相反,请不要在查询中首先使用用户可修改的值作为代码。 Use query parameters instead. 请改用查询参数 。 A commonly linked Stack Overflow question has some great examples and explanations to get you started. 一个通常链接的堆栈溢出问题提供了一些出色的示例和解释,可以帮助您入门。 In the long run your code will be more secure, more stable, and easier to debug and maintain. 从长远来看,您的代码将更安全,更稳定,更易于调试和维护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.