douguo6472 2016-08-10 09:04
浏览 49
已采纳

密码与我的PHP登录表单不匹配

I have tried many times but every time its says Email & Password Not Matched!.I can not find any solution of it.I have used PDO for database connection.I think i have problem with session value.But i can not find the error.I have tried so far:

<?php
/* For Login */

include 'db.php';
if (isset($_POST['login'])) {
    $email = $_POST['email'];
    $hash  = $_POST['password'];
    $password  = password_hash($hash, PASSWORD_DEFAULT);
    $records = $db->prepare("SELECT id FROM users WHERE email=? AND password=?");
    $records->execute(array($email,$password));
    $userdata = $records->fetch(PDO::FETCH_ASSOC);
    if (!empty($email) && !empty($hash)) {
        if (count($userdata)>0 ) {
            //session_start();
            $_SESSION['email'] = $userdata['email'];
            $_SESSION['password'] = $userdata['password'];
            if ($_POST['password'] == $userdata['password']) {
                echo "<div class='alert alert-success text-center'>
                      <strong>Successfully</strong> Login</div>";
                exit;
            }else{
                echo "<div class='alert alert-danger text-center'> 
                      <strong>Email & Password</strong> Not Matched!
                      </div>";
            }
        }else{
            echo "Email and Password Not Matched!";
            echo $_SESSION['email'];
        }
    }else{
        echo "<div class='alert alert-danger text-center'>
              <strong>Email & Password</strong> must not be empty!</div>";
    }
}
?>

Thanks in advance.

  • 写回答

1条回答 默认 最新

  • dongsha2792 2016-08-10 09:32
    关注

    You are re hashing the incoming password, that is not how its done with password_hash() you need to use password_verify() to test that the hashed password on the database in the same as the plain text password passed in by the user.

    If you run password_hash() using the same password twice in a row you will get a different hash each time, therefore you must use password_verify() to verify the entered password against the hashed one on the database.

    Try this from the CLI and it will demonstrate:

    $password = 'WoopsADaisy';
echo password_hash($password, PASSWORD_DEFAULT).PHP_EOL;
echo password_hash($password, PASSWORD_DEFAULT).PHP_EOL;

    The output, only when I ran it as a test returns

    $2y$10$t52UeqDlP897iD/n6uo71OErIFP5c4wsli6gLRNdfyQLkv8m6Wxs2
$2y$10$FczpgQIsmpzr6.vhYA6d3.QmEe3i3HR4WkapLrtO/BLK4Uul0WjUa

    You wont get the same hashes, but you will get 2 different hashes!

    This also means you need to mod your process a little

    <?php
/* For Login */

// always start the session at the top of a script
session_start();

include 'db.php';

// isset can test many variables at the same time
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
    $email      = $_POST['email'];
    $plain_pwd  = $_POST['password'];

    // get hashed password to test
    // also you were never actually retrieving the email
    $records = $db->prepare("SELECT id,password,email 
                             FROM users WHERE email=?");
    $staus = $records->execute(array($email));

    // test the query actually worked
    if ( $staus === false ) {
        print_r($db->errorInfo());
        exit;
    }

    $userdata = $records->fetch(PDO::FETCH_ASSOC);



    if ( password_verify($plain_pwd, $userdata['password']) ) {
        // the entered password is GOOD

        $_SESSION['email'] = $userdata['email'];

        // never need to store in session
        //$_SESSION['password'] = $userdata['password'];

        echo "<div class='alert alert-success text-center'>
              <strong>Successfully</strong> Login</div>";
    } else {
        echo "Email and Password do not Match!";
    }

}else{
    echo "<div class='alert alert-danger text-center'>
          <strong>Email & Password</strong> must not be empty!</div>";
}
?>

    Something else that can trip you up when hashing passswords. Make sure that the column password on your table is long enough to hold the hashed password. 60 chars in what password_hash() created using PASSWORD_DEFAULT but as the default hash algorithm may change over time should it need strengthening, it is recommended to make this column a varchar(255) to keep your database future proof.

    References :

    password_hash()

    password_verify()

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)
  • ¥20 matlab yalmip kkt 双层优化问题
  • ¥15 如何在3D高斯飞溅的渲染的场景中获得一个可控的旋转物体
  • ¥88 实在没有想法,需要个思路
  • ¥15 MATLAB报错输入参数太多