堆棧內存溢出
  簡體   English   中英

MySql Password_verify()不起作用?

[英]MySql Password_verify() not working?

 原文  2015-07-11 12:53:44       php/ mysql/ forms

問題描述

在注冊過程中,用戶密碼將作為加密的BCRYPT密碼保存在數據庫中。

我的問題是:為什么我不能使用輸入的密碼來驗證加密的數據庫密碼?

碼: 

<?php                       //POST VARIABLES
                    $submit = $_POST['login_submit'];
                    $username = $_POST['login_username'];
                    $password = $_POST['login_password'];
                    $email = $_POST['login_email'];

require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}

//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);


//ERRS ARRAY DECLARED
$errors = array();

//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}   
?>

即使輸入有效信息,我也會收到一條錯誤消息,指出“帳戶不存在”。

謝謝,-Eugene

編輯更改為: 

        <?php                       //POST VARIABLES
                            $submit = $_POST['login_submit'];
                            $username = $_POST['login_username'];
                            $password = $_POST['login_password'];
                            $email = $_POST['login_email'];

    require 'password_config.php';
    if(isset($submit)){
    require 'db/connect.php';
    //PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
    $user_pass = $row['password'];
    $veri_password = password_verify($password, $user_pass);
    }
    if($veri_password === true){
    //CHECKING NUM ROWS
       $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
       $entered_user = mysql_query($sql);
       $num_rows = mysql_num_rows($entered_user);


    //ERRS ARRAY ESTABLISHED
       $errors = array();

    //FURTHER VERIFYING
       if( $num_rows != 1 )
       {
       $errors[] = '-Account does not exist ';
       }
       elseif( $num_rows == 1 )
       {
       session_start();
       while($row = mysql_fetch_array($entered_user)){
       $_SESSION['key'] === true;
       $_SESSION['id'] = $row['id'];
       $_SESSION['email'] = $email;
       $_SESSION['user'] = $row['username'];
       $_SESSION['pass'] = $password;
       header('Location: profile.php');
       exit();
       }
       }
       }
    }   
    ?>

1 個解決方案

解決方案1
 2 已采納  2015-07-11 13:00:52

改成: 

$sql = "SELECT id, username FROM users WHERE email='$email'";

同時更改: 

$veri_password = password_verify($password, $user_pass);


if(!password_verify($password, $user_pass)){
   echo 'invalid password';
   exit;
}

無論如何,您的代碼容易受到sql注入的攻擊。 請考慮在查詢中使用准備好的語句,或者使用mysql_real_escape_string輸入字符串進行轉義。 並且建議使用mysqlipdo代替程序方法

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 PHP password_hash 和 password_verify 不適用於 MySQL PHP password_verify 與 MYSQL password_verify()無法正常工作 Password_verify bcrypt無法正常工作 password_verify函數不起作用 password_verify() 不適用於數據庫 password_verify() 在 php 中不起作用 password_verify,不明白為什么不起作用| PHP、MYSQL password_compat password_verify無法正常工作 PHP PDO MySQL password_verify問題
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM