[英]password_verify() False is always returned even if you enter the correct value
Can anyone tell me why I keep returning FALSE even if I put in the right value?谁能告诉我为什么即使我输入了正确的值,我仍然会返回 FALSE?
before executing this code, put the password into the database.在执行此代码之前,将密码放入数据库。 $encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT);
$encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT);
<?php
//From Android to php
$user_id = $_POST["user_id"];
$user_pw = $_POST["user_pw"];
$statement = mysqli_prepare($con, "SELECT user_pw FROM USER WHERE user_id = $user_id");
mysqli_stmt_execute($statement);
mysqli_stmt_store_result($statement);
//USERDB contains the password that has already been hashed.
$response = array();
if(password_verify($user_pw, $statement)) {
$response["success"] = true;
$response["user_id"] = $user_id;
$response["user_pw"] = $user_pw;
echo json_encode($response);
} else {
$response["success"] = false;
echo json_encode($response);
}
?>
>
As pointed out you were missing the benefit of using a prepared statement by directly embedding unsanitised user input in your sql query - use a placeholder in the sql and bind your input data to that.正如所指出的,您错过了通过在 sql 查询中直接嵌入未经处理的用户输入来使用准备好的语句的好处 - 在 sql 中使用占位符并将您的输入数据绑定到该占位符。
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST["user_id"], $_POST["user_pw"] ) ){
# use a placeholder in the sql for the user supplied data
$sql='select `user_pw` from `user` where `user_id`=?';
# attempt to create the prepared statement
$stmt=$con->prepare( $sql );
$response=[
'success' => false,
'user_id' => false,
'user_pw' => false
];
if( $stmt ){
# bind the user data to the placeholder & execute the query
$stmt->bind_param( 's', $_POST["user_id"] );
$res=$stmt->execute();
# process the result & bind new variables to each field in recordset
if( $res ){
$stmt->store_result();
$stmt->bind_result( $pwd );
$stmt->fetch();
# check the supplied password against hash from db
$status=password_verify( $_POST["user_pw"], $pwd );
if( $status ){
$response=[
'success' => $status,
'user_id' => $_POST["user_id"],
'user_pw' => $_POST["user_pw"]
];
}
$stmt->free_result();
$stmt->close();
}
}else{
exit('Failed to create sql statement');
}
exit(json_encode($response));
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.