[英]password_verify() against MySQL doesn't work
在使用password_hash()(VARCHAR(512)字段)對密碼進行哈希處理之后,我將密碼通過表單存儲到MySQL數據庫中。
$options = array(
'cost' => 12
);
$password = password_hash($password, PASSWORD_BCRYPT, $options);
假設
$pass = "123Azerty";
//and the hash is
$hash = "$2y$12$TzpGzy1cKM81pkEr/Mn0SOVA4wn0lr.7PnKFg4SU9Hto0EUiGGRMe";
當我從數據庫獲取密碼並使用password_verify()進行驗證時,它始終返回false
...
...
$returnedPWD = $row['password'];
if (password_verify($pass,$returnedPWD)){
echo "TRUE";
} else {
echo "FALSE";
}
...
...
在這一點上,我嘗試以這種方式“手動”進行操作
$pass = "123Azerty";
$hash = "$2y$12$TzpGzy1cKM81pkEr/Mn0SOVA4wn0lr.7PnKFg4SU9Hto0EUiGGRMe";
if (password_verify($pass,$hash )){
echo "TRUE";
} else {
echo "FALSE";
}
它總是返回FALSE
但
當我改變
$hash = "$2y$12$TzpGzy1cKM81pkEr/Mn0SOVA4wn0lr.7PnKFg4SU9Hto0EUiGGRMe";
// into
$hash = '$2y$12$TzpGzy1cKM81pkEr/Mn0SOVA4wn0lr.7PnKFg4SU9Hto0EUiGGRMe';
有效。 因為用單引號引起來的哈希是不可解析的。 以我的理解,這意味着從數據庫中獲取的哈希被解釋為可解析的(雙重搬運),而不是根本無法工作
然后我嘗試將字符串括在db int strval()中:
...
...
$returnedPWD = strval($row['password']);
if (password_verify($pass,$returnedPWD)){
echo "TRUE";
} else {
echo "FALSE";
}
...
...
但是它總是返回FALSE,閱讀所有與password_verify()無法正常運行有關的帖子,對我而言,我沒有提出任何有效的解決方案。
請問有什么方法可以使它起作用嗎?
提前致謝
編輯1
我確實嘗試了其他設置,如PASSWORD_DEFAULT,但沒有任何更改。 我還嘗試對前期數據庫存儲進行base64編碼,然后對其進行解碼。 但是什么都沒有改變
編輯2
我使用帶有參數的PDO存儲數據
$query = "INSERT INTO `users` (username, password) VALUES (:username, :password)";
$params = array(
':username' => "$username",
':password' => "$password" // hashed one
);
編輯3
表結構
CREATE TABLE IF NOT EXISTS `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(512) NOT NULL,
`enabled` int(1) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 AUTO_INCREMENT=13 ;
$username = trim($_POST["username"];
$password = trim($_POST["password"];
// Query to insert data
$query = "INSERT INTO `users` (username, password, enabled) VALUES (:username, :password, 1)";
// The very original setup I did use and didn't work out
$param_password = password_hash($password, PASSWORD_DEFAULT);
// Bind parameters
$params = array(
':username' => "$username",
':password' => "$param_password"
);
...
...
// insert into db
$sth = $sql->prepare($query);
// Call MySQL
try {
$sth->execute($params); // Execute the Query
} catch (PDOException $e) {
$mysql_error = 'MySQL connection failed: ' . "<br>" . $e->getMessage();
}
...
...
這里是我如何從數據庫讀取的基本內容
...
...
$username_login = trim($_POST["username"]);
$password_login = trim($_POST["password"]);
...
...
$query = "SELECT * FROM `users` WHERE username = :username";
$params = array(
':username' => $username_login
);
$sth = $sql->prepare($query);
try{
$sth->execute($params);
} catch (PDOException $e) {
$mysql_error = 'MySQL connection failed: ' . "<br>" . $e->getMessage();
}
while ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
foreach ($row as $key => $value) {
global $$key;
$$key = $value;
}
}
...
...
if (password_verify($password_login, $password) and $enabled == 1){
// Password is correct, so start a new session
session_start();
// Store data in session variables
$_SESSION["logged"] = true;
$_SESSION["id"] = $id;
$_SESSION["uname"] = $username_login_;
// Redirect user to welcome page
header("location: index.php");
} else {
// Display an error message if password is not valid
$password_login__err = "The password you entered was not valid. Or you are not enabled";
}
...
...
您的代碼由於"$password "
而無法工作-它的末尾有空格。 它應該是:
$query = "INSERT INTO `users` (username, password) VALUES (:username, :password)";
$params = array(
':username' => $username,
':password' => $password, // hashed one
);
您的手動測試無效,因為
$hash = "$2y$12$TzpGzy1cKM81pkEr/Mn0SOVA4wn0lr.7PnKFg4SU9Hto0EUiGGRMe";
有雙引號,並且將$2y
, $12
和$Tz...
內插$2y
導致空字符串的變量。 這就是單引號起作用的原因。
根據您提供的信息,我構建了有效的示例代碼: 在此處檢查
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.