douchen4534 2017-04-28 12:24
浏览 130
已采纳

password_verify不返回true / false

I have a problem with trying to login using the saved hash from my database, I save my password the following way, which works fine:

adduser($conn, '3', $username, $password);

This calls the following function: 

  function adduser ($conn, $level, $username, $password)
  {
  $password = mysqli_real_escape_string($conn, $password);
  $password = mysqli_real_escape_string($conn, $username);
  $password = password_hash($password, PASSWORD_BCRYPT);
  $user = "INSERT INTO users (level, username, password)
  VALUES ('$level', '$username', '$password')";
  mysqli_query($conn, $user) or die (mysqli_error($conn));
  }

My password field is a CHAR(60) so the stored password hash should be the right size.

When I try to login I call this function:

if (login($conn, $username, $password) === true){

}

Which exists here:

  function login ($conn, $username, $password)
  {
$password = mysqli_real_escape_string($conn, $password);
$username = mysqli_real_escape_string($conn, $username);
$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$hash = $row["password"];
$verify = password_verify($password, $hash);
if ($verify)
  {
    return true;
  }
  else
  {
    return false;
  }
  }

My issue is that it never returns true or false, which makes it impossible for me to login...

Extra: It succesfully post to database

I also tried running this, which succesfully posted the data from my database

$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
echo $row["password"];

Update

Doing this: 

echo '<br/>';
echo $hash;
echo '<br/>';
echo $password;

Gives me the following output:

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
hej

Which matches the password in my database

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
  • 写回答

1条回答 默认 最新

  • doubi1797 2017-04-28 13:07
    关注

    After testing your entire code, I have come to the following conclusion.

    The problem here is that you are escaping the password while inserting it into your database, which is something I did raise in comments from the beginning.

    "side note: you shouldn't escape a password/hash function, passwords such as 123'\abc< are perfectly valid and will be modified on insertion."

    $password = mysqli_real_escape_string($conn, $username);

    Side note for ^ - Consult Edit #2 below, near "However...":

    Simply don't use it, just keep/use the assignment normally.

    Both password_hash() and password_verify() do their job, so there's no need to escape passwords.

    You will need to remove it from the code that you used to insert it into the database with, and start over again with a new set of hashes.

    That escaping function is most likely adding a character during insertion.

    Side note: Just for the record, my password column is VARCHAR, yet that shoulnd't be a difference from your CHAR (Edit: consult footnote). If it is then ALTER your column to be VARCHAR.

    The manual on password_hash() though, suggests using 255 for a length, being a good bet.

    Edit footnote:

    As per a comment I posted beneath my answer.

    It looks to have a difference. This Q&A What's the difference between VARCHAR and CHAR? shows it, as per the accepted answer

    VARCHAR is variable-length.

    CHAR is fixed length.

    Edit #2:

    After further testing to see if it made a difference by ALTER'ing the password column from VARCHAR(255) to CHAR(60) made a difference; it did not.

    Tests performed:

    • Inserted a new hash without the escaping function and verifying: TRUE.
    • Inserted a new hash with the escaping function and verifying: FALSE.

    Therefore and as I stated originally; the fault lies with the use of mysqli_real_escape_string().

    However and going over your code again, this line:

    $password = mysqli_real_escape_string($conn, $username);

    You were using the $username variable here which also accounts for the wrong value being inserted in the database. All of these put together were the problems from the get go.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来
  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法