堆栈内存溢出
  简体   繁体   English

password_verify() 即使输入正确的值也总是返回 False

[英]password_verify() False is always returned even if you enter the correct value

 原文  2020-05-21 06:41:06       php/ password-hash/ php-password-hash

问题描述

Can anyone tell me why I keep returning FALSE even if I put in the right value?谁能告诉我为什么即使我输入了正确的值,我仍然会返回 FALSE?

before executing this code, put the password into the database.在执行此代码之前,将密码放入数据库。 $encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT); $encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT);

    <?php

    //From Android to php
    $user_id = $_POST["user_id"];
    $user_pw = $_POST["user_pw"];
    $statement = mysqli_prepare($con, "SELECT user_pw FROM USER WHERE user_id = $user_id");
    mysqli_stmt_execute($statement);
    mysqli_stmt_store_result($statement);

  //USERDB contains the password that has already been hashed.

    $response = array();

    if(password_verify($user_pw, $statement)) {
         $response["success"] = true;
         $response["user_id"] = $user_id;
         $response["user_pw"] = $user_pw;
        echo json_encode($response);
} else {

        $response["success"] = false;


        echo json_encode($response);
}


?>

>

1 个解决方案

解决方案1
 1 已采纳  2020-05-21 07:05:28

As pointed out you were missing the benefit of using a prepared statement by directly embedding unsanitised user input in your sql query - use a placeholder in the sql and bind your input data to that.正如所指出的,您错过了通过在 sql 查询中直接嵌入未经处理的用户输入来使用准备好的语句的好处 - 在 sql 中使用占位符并将您的输入数据绑定到该占位符。

<?php

    if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST["user_id"], $_POST["user_pw"] ) ){

        # use a placeholder in the sql for the user supplied data
        $sql='select `user_pw` from `user` where `user_id`=?';

        # attempt to create the prepared statement 
        $stmt=$con->prepare( $sql );

        $response=[
            'success'   =>  false,
            'user_id'   =>  false,
            'user_pw'   =>  false
        ];


        if( $stmt ){

            # bind the user data to the placeholder & execute the query
            $stmt->bind_param( 's', $_POST["user_id"] );
            $res=$stmt->execute();

            # process the result & bind new variables to each field in recordset
            if( $res ){
                $stmt->store_result();
                $stmt->bind_result( $pwd );
                $stmt->fetch();

                # check the supplied password against hash from db
                $status=password_verify( $_POST["user_pw"], $pwd );
                if( $status ){
                    $response=[
                        'success'   =>  $status,
                        'user_id'   =>  $_POST["user_id"],
                        'user_pw'   =>  $_POST["user_pw"]
                    ];
                }
                $stmt->free_result();
                $stmt->close();
            }
        }else{
            exit('Failed to create sql statement');
        }

        exit(json_encode($response));
    }
?>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 password_verify即使使用适当的变量,也始终返回False - password_verify Always Returns False, even with proper variables used 我的密码验证数据库中的值总是返回 false - My password_verify for a value from database always return false password_verify 总是返回假密码 - password_verify always return false password password_verify使用正确的密码返回false - password_verify returning false with correct password Password_verify() 使用正确的密码返回 False - Password_verify() returning False with correct password PHP - password_verify() 总是返回 false - PHP - password_verify() is always returning false PHP - password_verify 总是返回 false - PHP - password_verify always returning false password_verify()始终返回false - password_verify() always return false PHP password_verify始终返回false - PHP password_verify always returning false PHP 登录系统 - 即使密码正确,password_verify 也会返回 false - PHP Login System - password_verify returns false even when the password is correct
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM