1. 首页
  2. 问答
  3. 无法验证用户散列密码 - mysql和php

无法验证用户散列密码 - mysql和php

2017-02-11 57 views
0

即时通讯尝试验证用户哈希密码与他们的输入,但我不能得到它的工作,到目前为止idenfities如果用户拥有该用户名,但它只是不会验证密码。这里是我的代码无法验证用户散列密码 - mysql和php

<?php 
    $serverName = "localhost"; //Variables to access the user database 
    $username = "root"; 
    $password = ""; 
    $database = "snake_database"; 
    $errors = []; //Array of all the errors to display to the user 

    $conn = mysqli_connect($serverName, $username, $password, $database); //Connect to the database 

    if(!$conn){ //If the database failed to connect 

     die("Database failed to connect: " .mysqli_connect_error()); //Display an error message 
    } 

    $username = $_POST['username']; //set the username/ password varaibles 
    $password = $_POST['password']; 
    $hashPass = password_hash($password, PASSWORD_DEFAULT); //Encrypt the password 

    $sql = "SELECT * FROM users WHERE username = ?"; //Select all usernames and passwords 
    $stmt = $conn->prepare($sql); 
    $stmt->bind_param("s", $username); 
    $stmt->execute(); 
    $result = $stmt->get_result(); 
    $count = mysqli_num_rows($result); //Count how many results there are 

    if ($count == 1) 
    { 
     $sql = "SELECT password FROM users WHERE username = ?"; 
     $stmt = $conn->prepare($sql); 
     $stmt->bind_param("s", $username); 
     $stmt->execute(); 
     $result = $stmt->get_result(); 

     if(password_verify($password, $result)){ 
      $count = 2; 
     } 
    } 

    if($count == 2) //If there is 1 account that matches 
    { 
     $stmt->close(); //Close the statment and connection 
     $conn->close(); 

     session_start(); 
     $_SESSION["LoggedUser"] = $username; //Log the user in 
     $_SESSION["lastPage"] = "login.php"; 
     header("location: profile.php"); //Direct the user to their profile 

    }else //if there is no accounts that match 
    { 
     array_push($errors, "Username or password is incorrect"); 
     session_start();  
     $_SESSION["loginErrors"] = $errors; 
     $_SESSION["lastPage"] = "login.php"; //Make this page the last page 
     header("location: index.php"); //Go to the homepage 
    } 
    ?>

任何帮助appriciated,感谢

来源

2017-02-11 Rachel Dockter

+0

哪来'$ myPassword'来自哪里?密码列的长度是多少? –

+0

im不知道,对不起,它使我困惑 –

+0

我改变它为$密码,但它仍然不能正常工作 –

回答

3

你做了很多你不需要做的事情。

A SELECT *将返回所有的列,所以你不需要为密码做另一个SELECT。

此外,在检查密码时,如果密码与已存储在数据库中的密码相对应,您也不应再使用password_hash()密码。使用password_verify()这将做所有的检查。所以,你通过它从数据库和用户只需在屏幕上输入的明文密码的hashed_pa​​ssword,它将返回true或false告诉你,如果输入的密码相匹配的数据库中的散列一个

<?php 
// always do this early in the code 
session_start(); 

$serverName = "localhost"; 
$username = "root"; 
$password = ""; 
$database = "snake_database"; 
$errors = []; //Array of all the errors to display to the user 

$conn = mysqli_connect($serverName, $username, $password, $database); 

if(!$conn){ 
    die("Database failed to connect: " .mysqli_connect_error()); 
} 

// dont hash password again 
//$hashPass = password_hash($password, PASSWORD_DEFAULT); 

$sql = "SELECT * FROM users WHERE username = ?"; 
$stmt = $conn->prepare($sql); 
$stmt->bind_param("s", $_POST['username']); 
$stmt->execute(); 

$result = $stmt->get_result(); 

if ($result->num_rows == 1) { 

    $row = $result->fetch_assoc(); 
    if(password_verify($_POST['password'], $row['password'])){ 
    // ----------------^^^^^^^^^^^^^^^^^^--^^^^^^^^^^^^^^^^ 
    //     Plain text pwd  hashed pwd from db 
     $_SESSION["LoggedUser"] = $_POST['username']; 
     $_SESSION["lastPage"] = "login.php"; 
     header("location: profile.php"); 
     // put exit after a redirect as header() does not stop execution 
     exit; 
    } 

} else { 
    $errors[] = "Username or password is incorrect"; 
    $_SESSION["loginErrors"] = $errors; 
    $_SESSION["lastPage"] = "login.php"; 
    header("location: index.php"); 
    exit; 
} 
?>

来源

2017-02-11 14:53:47 RiggsFolly

+0

非常完美谢谢,我认为它现在很好用谢谢:) –

相关问题

 相关问题