[英]PHP login no error but passwords are not equal when hashed
注冊時我會加密密碼,我想創建一個登錄頁面來檢查密碼。 我對用戶在登錄頁面上寫的密碼進行哈希處理,並檢查密碼是否與數據庫中的密碼相等?
但是當我在登錄頁面中哈希真實密碼時,它與數據庫中的密碼不相等。 在這種情況下,SQL注入或其他安全問題並不重要。 我搜索過多,但無法解決此問題。 誰能幫我。
的login.php
<?php
include_once "connection.php";
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$pa = $_POST['password'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)
$pas = "SELECT pass FROM studenttable WHERE nickname='$username'";
$result = mysqli_query($con, $pas) or die("Error: ".mysqli_error($con)); // assign the return value of mysqli_query to $res
echo "mysqli_query successed <br>";
if($result === FALSE) {
die(mysql_error()); // TODO: better error handling
}else{
if(mysqli_num_rows($result) != 0){
while ($row = $result->fetch_assoc()) {
$pass = $row['pass'];
echo "pass is = $pass <br>";
}
echo "pass: $pass ----------------- password: $password <br>";
if(password_verify($pa , $pass)){
echo "login successfully";
echo "password: $pa ................. pass: $pass <br>";
}
else {
echo "pa: $pa ------------ pass: $pass<br>";
echo "wrong password";
//header('Location: logindif.html');
}
}
}
}}
?>
輸出 :
mysqli_query成功傳遞為= $ 2y $ 10 $ PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc傳遞:$ 2y $ 10 $ PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc -----------------密碼:$ 2y $ 10 $ kgxO6GIOXE6GM5O6G8XO5EIGGM5O5E3G0O2EXMZO2EQM0EJM0E6E0EJM0E0EJM0E0EJM0E0EJM0E0EJM0E6E6E0EJE0EJE0EJE0EJE0E5E0EJE0EJE0EJE0E。 pa:123456 ------------密碼:$ 2y $ 10 $ PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc錯誤密碼
signup.php
<?php
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked
// Here the database is included. No need for mysqli_select_db
$conn = new mysqli('localhost', 'root', '123456', 'inputdatabase');
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
session_start();
$_SESSION['user'] = 'username';
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)
// Its always good to prepare your sql statements.
$prep = $conn->prepare("INSERT INTO studenttable (nickname, pass) VALUES (?,?)");
$stmt = $conn->prepare("SELECT nickname FROM studenttable WHERE nickname=?");
$stmt->bind_param("s", $username);
$sameuser= mysqli_real_escape_string($conn, $_POST['username']);
if (!empty($username)) {
$result=mysqli_query($con,$stmt);
$mostrar = $result->num_rows;
if($mostrar==0){
$prep->bind_param("ss", $username, $password);
$send = $prep->execute();
if ($send === TRUE) {
echo "New record created successfully"; //<-- You won't get to see this because of the next line.
header('Location: index.php');
exit();
} else {
echo "Error: " . $conn->error;
header('Location: signupsqlerror.html');
exit();
}
}else {
header('Location: signupdif.html');
exit();
}
}
$prep->close();
$conn->close();
}
?>
您的數據庫密碼列不夠長,並且會截斷值。 從手冊 :
因此,建議將結果存儲在可以擴展到超過60個字符的數據庫列中(255個字符將是一個不錯的選擇)。
您需要的列長度至少為 60個字符,理想情況下為255個,以便於將來使用。
不幸的是,在45個字符的列中插入60個字符串不會引起任何錯誤,它只會砍掉哈希的最后一部分。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.