douhao2721 2017-01-24 14:33
浏览 43
已采纳

password_verify()未验证

I am trying to verify the hashed password in my database using the password_verify() function but it doesn't seem to be working. Any help please.

<?php
include("config.php");
include("vendor/password.php");

session_start();

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = mysqli_real_escape_string($db , $_POST['umail']);
  $password = mysqli_real_escape_string($db , $_POST['upassword']);

  $userQuery = "SELECT username, password FROM users WHERE username = '$username' AND password='$password'";
  $result    = mysqli_query($db ,$userQuery);
  $queryRow  = mysqli_fetch_array($result , MYSQLI_ASSOC);
  $queryCount = mysqli_num_rows($result);


  $verifyPassowrd = password_verify($_POST['upassword'] , $queryRow[2]);

  if ($verifyPassowrd){
    header("Location:home.php"); 
  }else{
    echo  "Username Or Password is invalid";
  }
  mysqli_close($db);
}
 ?>
  • 写回答

1条回答 默认 最新

  • dourong4031 2017-01-24 14:44
    关注

    Your password is hashed in your database.
    In your query you include a non-hashed password, so the results of the query will be an empty set.

    No need to have the password in the WHERE clause of your query, because you want to check the returned hash in the password_verify function.

    Updated snippet (I also fixed the typo's):

    <?php
include("config.php");
include("vendor/password.php");

session_start();

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = mysqli_real_escape_string($db , $_POST['umail']);

  $userQuery = "SELECT username, password FROM users WHERE username = '$username'";
  $result    = mysqli_query($db, $userQuery);
  $queryRow  = mysqli_fetch_array($result, MYSQLI_ASSOC);
  $queryCount = mysqli_num_rows($result);


  $verifyPassword = password_verify($_POST['upassword'], $queryRow['password']);

  if ($verifyPassword){
    header("Location:home.php"); 
  }else{
    echo  "Username Or Password is invalid";
  }
  mysqli_close($db);
}
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?