doushichi3678 2017-11-21 11:45
浏览 63
已采纳

PHP登录没有错误,但哈希时密码不相等

I encrypt my password when sign up and I want to create login page which checks password. I hash password which is written by user in login page and check if it is equal with password in database?

But when I hash true password in login page, it is not equal with in database. SQL injection or other security problems are not important in this situation. I search too much but I cannot solve this problem. Can anyone help me please.

login.php

 <?php
  include_once "connection.php";
  if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked

      if($_POST['username'] && $_POST['password']) {
        $username  =  $_POST['username'];
        $pa = $_POST['password'];
        $password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)

        $pas = "SELECT pass FROM studenttable WHERE nickname='$username'";


         $result = mysqli_query($con, $pas) or die("Error: ".mysqli_error($con));  // assign the return value of mysqli_query to $res
           echo "mysqli_query successed <br>";
           if($result === FALSE) {
                die(mysql_error()); // TODO: better error handling
            }else{
                if(mysqli_num_rows($result) != 0){

                  while ($row = $result->fetch_assoc()) {
                      $pass = $row['pass'];
                      echo "pass is = $pass <br>";
                  }

                   echo "pass: $pass ----------------- password: $password <br>";
                   if(password_verify($pa , $pass)){
                     echo "login successfully";
                   echo "password: $pa ................. pass: $pass <br>";
                    }
                    else {
                      echo "pa: $pa ------------ pass: $pass<br>";
                      echo "wrong password";
                      //header('Location: logindif.html');
                    }
                }
          }
      }}
?>

Output:

mysqli_query successed pass is = $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc pass: $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc ----------------- password: $2y$10$kgx0EmAFSIOXGMyIsUgOZO8MyRoc4rLzo0PQXOe5lLeAxLO7e3FM. pa: 123456 ------------ pass: $2y$10$PN4l74qTmVJ2j0BOJ5TWAulEX5p3nbkUM9Z9dc wrong password

signup.php

<?php
if (isset($_POST['submit'])) { // <- Code will run only when the submit button is clicked

    // Here the database is included. No need for mysqli_select_db
    $conn = new mysqli('localhost', 'root', '123456', 'inputdatabase');

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    session_start();
    $_SESSION['user'] = 'username';
    $username = $_POST['username'];
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT); // Encrypt the password)

    // Its always good to prepare your sql statements.
    $prep = $conn->prepare("INSERT INTO studenttable (nickname, pass) VALUES (?,?)");

    $stmt = $conn->prepare("SELECT nickname FROM studenttable WHERE nickname=?");
    $stmt->bind_param("s", $username);

     $sameuser= mysqli_real_escape_string($conn, $_POST['username']);
    if (!empty($username))  {
        $result=mysqli_query($con,$stmt);
        $mostrar = $result->num_rows;
         if($mostrar==0){

            $prep->bind_param("ss", $username, $password);

            $send = $prep->execute();

            if ($send === TRUE) {
                echo "New record created successfully";    //<-- You won't get to see this because of the next line.
                header('Location: index.php');
                exit();
            } else {
                echo "Error: " . $conn->error;
                header('Location: signupsqlerror.html');
                exit();
            }
         }else {
            header('Location: signupdif.html');
            exit();
        }
    }
   $prep->close();
    $conn->close();
}
?>
  • 写回答

1条回答 默认 最新

  • duanrongshi1544 2017-11-21 12:08
    关注

    Your database password column is not long enough, and it's truncating the values. From the manual:

    Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

    You need a column that's at least 60 characters long, and ideally 255 for future-proofing.

    Unfotunately, inserting a 60 character string into a 45 character column won't raise any errors, it'll just chop off the last part of the hash.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?