Password_Hash，Mysql，SetFetchMode，Password_verify

Question

在我被钉在十字架上之前，我已经有一个星期了，如果有人能帮上忙，我会很感激。我也阅读了关于这个平台上所有关于password_hash和password_verify的文章，但是没有一个解决方案适用于我，从字符串长度和数据库长度等等，所以我决定发布我的问题。

我正在写登录脚本，我用password_verify;我刚刚学会了PHP的安全性，并希望改进我的代码。

每次我尝试登录时，它都不会登录。

public function create() { 

    // Don't forget your SQL syntax and good habits: 
    // - INSERT INTO table (key, key) VALUES ('value', 'value') 
    // - single-quotes around all values 
    // - escape all values to prevent SQL injection 
    /* $sql = "INSERT INTO users (username, password, first_name, last_name) 
         VALUES(?, ?, ?, ?)";*/ 
    $sql = "INSERT INTO users (username, password, email, date_created) 
         VALUES(:username, :password, :email, :date_created)"; 
    try { 
     // prepare sql and bind parameters 
     $core = ConnectionManager::getInstance(); 
     $stmt = $core->con->prepare($sql); 
     /*$stmt = $db->prepare("INSERT INTO users (id, username, password, first_name, last_name) 
      VALUES (:id, :username, :password, :first_name, :last_name");*/ 
     //$stmt->bindParam(':id', 1); 

     $username = $this->username; 
     $password = password_hash($this->password, PASSWORD_BCRYPT); 
     $email = $this->email; 
     $date_created = strftime("%Y-%m-%d %H:%M:%S", time()); 

     /*$username = "boiy"; 
     $password = password_hash("redrum", PASSWORD_BCRYPT); 
     $email = "bdboiy@gmail.com"; 
     $date_created = strftime("%Y-%m-%d %H:%M:%S", time());*/ 

     $stmt->bindParam(':username', $username, PDO::PARAM_STR); 
     $stmt->bindParam(':password', $password, PDO::PARAM_STR); 
     $stmt->bindParam(':email', $email, PDO::PARAM_STR); 
     $stmt->bindParam(':date_created', $date_created, PDO::PARAM_STR); 

     if($stmt->execute()) { 
      $this->id = $core->con->lastInsertId(); 
      echo "New records created successfully"; 
      return true; 
     } else { 
      return false; 
     } 

    } catch (PDOException $e) { 
     echo "Insert Error: " . $e->getMessage(); 
    } 
} 

这是为了创建一个新用户。有效。

然后我试图登录用户：

if($session->is_logged_in()) {redirect_to("admin.php");} 

// Remember to give your form's submit tag a name="submit" attribute! 
if (isset($_POST['submit'])) { // Form has been submitted. 

    $username = trim($_POST['username']); 
    $password = trim($_POST['password']); 
    $YRJWA = "YRJWA"; 
    $string = "$2y$10$$YRJWA/EJQGkmqev6VlpteOXHwF6DeQWcU1x1uGqmOdY4CDK5.oJYi"; 

    // Check database to see if username/password exist. 
    $found_user = User::authenticate($username, $string); 


    if ($found_user) { 
     //if (password_verify($password, $found_user->password)) { 
      $session->login($found_user); 
      log_action('Login', "{$found_user->username} logged in."); 
      redirect_to("admin.php"); 
     //} 
    } else { 
     // username/password combo was not found in the database 
     $message = "Username/password combination incorrect."; 
    } 

} else { // Form has not been submitted. 
    $username = ""; 
    $password = ""; 
} 

当我做到这一点，这是行不通的。 当我把password_verify，它不起作用，所以我评论它在上面的代码中看到。

然后我创建了一个新的页面，并测试了我的代码有：

$YRJWA = "YRJWA"; 
$string = "$2y$10$$YRJWA/EJQGkmqev6VlpteOXHwF6DeQWcU1x1uGqmOdY4CDK5.oJYi"; 
//$string = 'redrum'; 
echo "<hr>"; 
$found_user = User::authenticate('boiy', $string); 
print_r($found_user); 
echo "<br>"; 
/*echo strlen($found_user->password);*/ 
/*echo utf8_encode($found_user->password); 
echo utf8_decode($found_user->password);*/ 
echo "<br/>"; 
//echo substr($found_user->password, 0, 60); 
var_dump($found_user->password); 

echo "<br>"; 
if(password_verify('redrum', $found_user->password)) { 
    echo "Valid"; 
} else { 
    echo "Invalid"; 
} 
ConnectionManager::close(); 

当我直接用密码从数据库，它返回正确的数据，并打印“有效”。

当我删除了评论，并尝试“redum”它给这个错误

注意：试图让用C非对象的属性：\ XAMPP \ htdocs中\财富加\私人\的index.php上线36 NULL

注意：试图让非对象的属性在C：\ XAMPP \ htdocs中\财富加\就行私人\的index.php 39 无效

public static function authenticate($username="", $password="") { 
    $sql = "SELECT username, password FROM users WHERE username = :username AND password = :password LIMIT 1"; 
    try { 

      $core = ConnectionManager::getInstance(); 
      $stmt = $core->con->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); 
      $stmt->execute([':username' => $username, ':password' => $password]); 
      $stmt->setFetchMode(PDO::FETCH_CLASS, "User"); 
      $users = $stmt->fetch(); 
     //if (password_verify($password, $users->password)) { 
      return $users; 
     //} 
    //return !empty($users) ? array_shift($users) : false; 
    }catch (PDOException $e) { 
     echo "Error: " . $e->getMessage(); 
    } 
} 

Answer 1

如果保存散列密码，则无法通过密码查找它。你需要做的是获取用户记录，然后使用password_verify验证密码。

你甚至有这样的代码在那里的残疾：

public static function authenticate($username, $password) { 
    try { 
     $core = ConnectionManager::getInstance(); 
     $stmt = $core->con->prepare("SELECT password FROM users WHERE username = :username";, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); 
     $stmt->execute([ ':username' => $username ]); 
     $stmt->setFetchMode(PDO::FETCH_CLASS, "User"); 

     $user = $stmt->fetch(); 

     if (password_verify($password, $user['password'])) { 
      return $users; 
     } 
    } catch (PDOException $e) { 
     echo "Error: " . $e->getMessage(); 

     return false; 
    } 
} 

记住，添加的东西像username一个UNIQUE约束，你将不必担心LIMIT 1，因为这将是不可能拿到两行。