無法使用散列密碼登錄 - Mysqli PHP

Question

我在注冊頁面上用下一個代碼對我的密碼進行了哈希處理：

$c_pass = $_POST['c_pass'];
$storePassword = password_hash($c_pass, PASSWORD_BCRYPT, array('cost' => 10));

在登錄頁面上我有這個代碼：

$customer_email = $_POST['c_email'];
$customer_pass = $_POST['c_pass'];
$select_customer = "select * from customers where customer_email='$customer_email' AND customer_pass='$customer_pass'";

嘗試登錄時，他們會彈出一個錯誤屏幕，提示我的憑據無效。 我嘗試使用

if(password_verify($customer_password,$row['c_pass'])){

但是請注意幫助我，有人可以為此寫我的解決方案，因為我找不到解決方案。

Answer 1

您應該從WHERE子句中刪除AND ，因為當用戶在登錄表單輸入中鍵入他/她的密碼時，它將是非散列的，因此您永遠不會通過復合條件 email + 密碼檢索用戶。 相反，您應該通過標識符（用戶名或電子郵件）找到用戶，然后您應該將來自登錄表單密碼輸入的原始密碼與來自數據庫的哈希值進行比較。 因此，請查看以下內容：

$mysqli = new mysqli('host', 'user', 'password', 'db_name');

// these are submitted input values from the login form which you handle
$email = $_POST['c_email'];
$password = $_POST['c_password'];

// build your query with prepared statements which will retrieve
// the user from the database with login form submitted email
$stmt = $mysqli->prepare('select * from customers where customer_email = ?');
$stmt->bind_param('s', $email);
$stmt->execute();

$result = $stmt->get_result();
$customer = $result->fetch_assoc();

if (empty($customer)) { 
    // no user found by this email, so send to user response message
    // that your system cannot find any customer by provided email
    return false;
}

// here you compare the typed user login password versus the fetched user's password from the database by the provided user email
if (password_verify($password, $customer['c_pass'])) {
    // ok, so the password comparison match
} else {
    // invalid password
}