PHP登录页面不适用于password_verify
[英]PHP Log in page doesn't work with password_verify
问题描述
So, I have hashed the password for new accounts which are created on adduser.php with this: 
所以,我已经在adduser.php上创建了新帐户的密码:
if (isset($_POST['submit'])) {
require "../functions/db-insert.php";
$productcategory = [
'username' => $_POST['username'],
'password' => sha1($_POST['password']),
'isadmin' => $_POST['isadmin']
];
//$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
$category = insert($pdo, 'users', $productcategory);
echo "<p>User added</p>";
}
and now I'm trying to modify my login.php to be able to sign properly using password_verify, but I seem to be doing something wrong as I can no longer sign in. 现在我正在尝试修改我的login.php,以便能够使用password_verify正确签名,但我似乎做错了,因为我无法再登录。
if (isset($_POST['submit'])) {
if (isset($_POST["username"]) && isset($_POST["password"])) {
$results = $pdo->prepare("SELECT * FROM users
WHERE username = :username AND password = :password");
$values = [
':username' => $_POST["username"],
':password' => $_POST['password']
];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
$results->execute($values);
$row = $results->fetchAll();
if(count($row) < 1){
echo '<h3><strong>Wrong username or password!</h3>';
}
else if (!password_verify($password, $hash)){
$_SESSION['loggedin'] = true;
$_SESSION['name'] = $_POST['username'];
echo "<h3>Welcome back " . $_SESSION['name'] . " !</h3>";
}
}
}
At this point, I'm not entirely sure what I'm doing wrong and would really appreciate if someone could help me troubleshoot the stuff I do wrong. 在这一点上,我不完全确定我做错了什么,如果有人可以帮我解决我做错的事情,我会非常感激。 I've looked all over stackoverflow but none of the previously asked questions were working for me, unfortunately. 我看了很多stackoverflow,但不幸的是,之前提出的问题都没有为我工作。
1 个解决方案
解决方案1
0 已采纳 2019-04-20 18:51:04
You're re-hashing the password. 您正在重新扫描密码。 When you use password_hash you don't get the same value for the same string, so you are never going to find a match. 当您使用password_hash您没有获得相同字符串的相同值,因此您永远不会找到匹配项。 You need to select the password (hashed) and then pass the raw string (input) into password_verify . 您需要选择密码(散列),然后将原始字符串(输入)传递给password_verify 。 So just have the username in the where, then use result password and the raw string in password_verify 所以只需在where中输入用户名,然后在password_verify使用结果密码和原始字符串
Try echoing out a password_hash of the same value (eg password_hash('test'....) . and you will see. You also need to account for using md5 is this is what you have done before. If this is a live system it will be difficult as you will basically need to make everyone change their password or write some routine to update it next time they log in (eg use the old verification method then password_hash() the password and update it). If this isn't production code yet just clear your your passwords and start again. 尝试呼应了password_hash相同的值(例如password_hash('test'....)你会看到,你还需要考虑使用MD5是,这是你所做过的事情。如果这是一个活的系统这将是困难的,因为你基本上需要让每个人都在下次登录时更改密码或写一些例程来更新它(例如使用旧的验证方法然后使用password_hash()密码并更新它。)如果这不是生产代码,只需清除您的密码,然后重新开始。
Also I just noticed you have said you want to log people in if the password verification returns false , (!password_verify... . So your logic back to front 另外我只是注意到你说如果密码验证返回false,你想要记录人员, (!password_verify...所以你的逻辑回到前面
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.