dongshuo6185 2016-07-22 18:18
浏览 110
已采纳

为什么此登录和注册系统未正确检查密码?

Basically I am having issues with hashing and getting the password verified, and I was hoping someone could help me out by proof reading some of the code.

Below is the registration (php code):

include '../includes/connection.php'; 
$userID = $_POST['userID'];
$userName = $_POST['userName'];
$Pass = $_POST['password'];
$encrypted_password = password_hash($Pass, PASSWORD_DEFAULT);
if(!empty($userName) && !empty($Pass) && !empty($userID)){
    $records = "SELECT * FROM Admins WHERE ID='$userID' OR Username='$userName' OR Password='$encrypted_password'";
    $results = mysqli_query($connect,$records);
    if ($results->num_rows == 1){
        $message = "You have already requested an account.";
        echo "<script type='text/javascript'>alert('$message');</script>";  
    }else{
        $query = "INSERT INTO Admins (`ID`,`Username`,`Password`,`AdminLevel`) VALUES ('$userID','$userName','$encrypted_password','0')";
        $run = mysqli_query($connect,$query);
        $message = "Your request has been submitted.";
        echo "<script type='text/javascript'>alert('$message');</script>";
    }
}

Below is the login (php code)

if(!empty($userName) && !empty($Pass)){

    $sql = "SELECT * FROM Admins WHERE Username='$userName'";
    $sqlr = mysqli_query($connect,$sql);
    $sqlrow = $sqlr->fetch_assoc();
    $dbPass = $sqlrow['Password'];
    $hash = password_verify($Pass, $dbPass);

    if ($hash == 0){
        die("There was no password found matching what you have entered.");
    }else{
        $records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";
        $results = mysqli_query($connect,$records);
        if ($results->num_rows == 1){
            $row = $results->fetch_assoc();
            $_SESSION['user_id'] = $row['ID'];
            $_SESSION['admin_level'] = $row['AdminLevel'];
            $_SESSION['user_name'] = $row['Username'];
            $easyName = $_SESSION['user_name'];
            $recordsS = "UPDATE `Admins` SET Status='1' WHERE Username='$userName'";
            $resultsS = mysqli_query($connect,$recordsS);
            header("Location: index.php");
        }else{
            die("Sorry... you have entered incorrect login information.");
        }
    }
}

This is the database heading: https://gyazo.com/69380c5cd0df0259d31799b71f33ce47

When I test this on the website and I login with correct information, "Sorry... you have entered incorrect login information." is echoed.

If I login with false information, "There was no password found matching what you have entered." is echoed.

Why can it detect the password, but not properly execute the else statement in the login section?

  • 写回答

2条回答 默认 最新

  • douye9822 2016-07-22 18:25
    关注

    Your $records query is failing because you are selecting Password='$hash'" where $hash is either true, or false. The query should have this condition: Password='$dbPass'"

    Just as a gut check: The important thing to note is the password field in the database should be huge. The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

    One more thing: Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 画两个图 python或R
  • ¥15 在线请求openmv与pixhawk 实现实时目标跟踪的具体通讯方法
  • ¥15 八路抢答器设计出现故障
  • ¥15 opencv 无法读取视频
  • ¥15 用matlab 实现通信仿真
  • ¥15 按键修改电子时钟,C51单片机
  • ¥60 Java中实现如何实现张量类,并用于图像处理(不运用其他科学计算库和图像处理库))
  • ¥20 5037端口被adb自己占了
  • ¥15 python:excel数据写入多个对应word文档
  • ¥60 全一数分解素因子和素数循环节位数