1. 首页
  2. 问答
  3. PHP登录系统

PHP登录系统

2016-11-24 274 views
-9

我正在为我的网站创建一个登录系统,但我没有得到太多的运气。我散列了这样的密码$pw = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 14));,我被告知必须使用password_verify检查登录表上的密码,然后再次检查,但我不明白我必须做什么。有人可以请一步一步解释我必须做什么吗?PHP登录系统

GLOBAL $username; 
GLOBAL $pw; 

if (empty($_POST["username"])) { 
       echo"fill in username to sign in"; 
       } else { 

       if (empty($_POST["pw"])) { 
       echo"fill in password to sign in"; 
       } else { 

//check if form is submitted 
if (isset($_POST['signin'])) { 

$username = mysqli_real_escape_string($conn, $_POST['username']); 
$pw = mysqli_real_escape_string($conn, $_POST['pw']); 

$valid = password_validate($password, $hash); 

$sql = mysqli_query($conn, "SELECT * FROM users WHERE username = '" . $username. "' and pw = '" . $pw. "'"); 

if ($row = mysqli_fetch_array($sql)) { 

     // if insert checked as successful echo username and password saved successfully 
     echo "successfully logged in"; 

} else { 
    $errormsg = "Incorrect username or Password!!!"; 
} 
} 
} 
}

来源

2016-11-24 mrpunani

+0

功能是'password_verify()','不password_validate()'。另外,你从哪里得到'$ hash'?你将变量定义为'$ pw',但试图用它作为'$ password'。 – Qirel

+0

你不会选择'WHERE' PW是你的哈希.. password_hash每次都会创建一个新的盐。不,您从数据库中检索散列并根据原始密码输入进行测试。 –

+0

转义用户名和密码会导致更改用户输入的值。使用准备的参数化查询 – RiggsFolly

回答

1

你的第一次尝试确实没有多少权利。

这里是建议的过程你跟着

<?php  
    //check if form is submitted 
    if ($_SERVER['REQUEST_METHOD'] != 'POST' || 
     ! isset($_POST['signin'])) 
    { 
     // looks like a hack, send to index.php 
     header('Location: index.php'); 
     exit; 
    } 

    if (empty($_POST["username"])) { 
     echo 'fill in username to sign in'; 
    } 
    if (empty($_POST["pw"])) { 
     echo 'fill in password to sign in'; 
    } 

    // dangerous and unnecessary 
    // why would you risk changing the users username and password 

    //$username = mysqli_real_escape_string($conn, $_POST['username']); 
    //$pw = mysqli_real_escape_string($conn, $_POST['pw']); 

    // function does not exist 
    //$valid = password_validate($password, $hash); 


    // dangerous (SQL Injection) 
    // Wont work as you are using pw in the criteria and you dont know what pw is as it is a hash 
    //$sql = mysqli_query($conn, "SELECT * FROM users WHERE username = '" . $username. "' and pw = '" . $pw. "'"); 

    // you must select the password using only the username 
    // as the selection criteria 
    // also as the username was passed from the page its potentially 
    // dangerous so use a parameterized query 
    $sql = "SELECT pw FROM user WHERE username = ?"; 

    $stmt = mysqli_prepare($sql); 
    if (!$stmt) { 
     echo mysqli_error($conn); 
     exit; 
    } 

    $stmt->bind_param('s', $_POST['pw']); 
    $stmt->execute(); 

    if (!$stmt) { 
     echo mysqli_error($conn); 
     exit; 
    } 
    // we found a row with that username, 
    // now we need to check the password is correct 

    // get the password from the row 
    $stmt->bind_result($hashed_pwd); 
    $stmt->fetch(); 

    if (password_verify($_POST['pw'], $hashed_pwd)) { 
     // password verified 
     echo 'Login is valid'; 
    } else { 
     echo 'Incorrect username or Password!!!'; 
    } 
} 
?>

来源

2016-11-24 19:30:02 RiggsFolly

+0

你好。我还有一个问题。 ($ _SERVER ['REQUEST_METHOD']!='POST'|| !isset($ _ POST ['signin'])) { // //看起来像一个黑客,发送到index.php header('Location:index.php'); 退出; }' – mrpunani

+0

在我的home.php,profile.php等页面上,用户自动进入index.php。我该如何解决 ? – mrpunani

相关问题

 相关问题