dongshuo6185 2016-07-22 18:18
浏览 110
已采纳

为什么此登录和注册系统未正确检查密码?

Basically I am having issues with hashing and getting the password verified, and I was hoping someone could help me out by proof reading some of the code.

Below is the registration (php code):

include '../includes/connection.php'; 
$userID = $_POST['userID'];
$userName = $_POST['userName'];
$Pass = $_POST['password'];
$encrypted_password = password_hash($Pass, PASSWORD_DEFAULT);
if(!empty($userName) && !empty($Pass) && !empty($userID)){
    $records = "SELECT * FROM Admins WHERE ID='$userID' OR Username='$userName' OR Password='$encrypted_password'";
    $results = mysqli_query($connect,$records);
    if ($results->num_rows == 1){
        $message = "You have already requested an account.";
        echo "<script type='text/javascript'>alert('$message');</script>";  
    }else{
        $query = "INSERT INTO Admins (`ID`,`Username`,`Password`,`AdminLevel`) VALUES ('$userID','$userName','$encrypted_password','0')";
        $run = mysqli_query($connect,$query);
        $message = "Your request has been submitted.";
        echo "<script type='text/javascript'>alert('$message');</script>";
    }
}

Below is the login (php code)

if(!empty($userName) && !empty($Pass)){

    $sql = "SELECT * FROM Admins WHERE Username='$userName'";
    $sqlr = mysqli_query($connect,$sql);
    $sqlrow = $sqlr->fetch_assoc();
    $dbPass = $sqlrow['Password'];
    $hash = password_verify($Pass, $dbPass);

    if ($hash == 0){
        die("There was no password found matching what you have entered.");
    }else{
        $records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";
        $results = mysqli_query($connect,$records);
        if ($results->num_rows == 1){
            $row = $results->fetch_assoc();
            $_SESSION['user_id'] = $row['ID'];
            $_SESSION['admin_level'] = $row['AdminLevel'];
            $_SESSION['user_name'] = $row['Username'];
            $easyName = $_SESSION['user_name'];
            $recordsS = "UPDATE `Admins` SET Status='1' WHERE Username='$userName'";
            $resultsS = mysqli_query($connect,$recordsS);
            header("Location: index.php");
        }else{
            die("Sorry... you have entered incorrect login information.");
        }
    }
}

This is the database heading: https://gyazo.com/69380c5cd0df0259d31799b71f33ce47

When I test this on the website and I login with correct information, "Sorry... you have entered incorrect login information." is echoed.

If I login with false information, "There was no password found matching what you have entered." is echoed.

Why can it detect the password, but not properly execute the else statement in the login section?

  • 写回答

2条回答 默认 最新

  • douye9822 2016-07-22 18:25
    关注

    Your $records query is failing because you are selecting Password='$hash'" where $hash is either true, or false. The query should have this condition: Password='$dbPass'"

    Just as a gut check: The important thing to note is the password field in the database should be huge. The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

    One more thing: Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 #MATLAB仿真#车辆换道路径规划
  • ¥15 java 操作 elasticsearch 8.1 实现 索引的重建
  • ¥15 数据可视化Python
  • ¥15 要给毕业设计添加扫码登录的功能!!有偿
  • ¥15 kafka 分区副本增加会导致消息丢失或者不可用吗?
  • ¥15 微信公众号自制会员卡没有收款渠道啊
  • ¥15 stable diffusion
  • ¥100 Jenkins自动化部署—悬赏100元
  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条