2016-09-30 09:15
浏览 57


I didn't take asking this question lightly as I've seriously gone over 50 links throughout the entire night trying to get password_verify() to work.

1- The Hash Is 100% Correct.
2- The Plain Text Verison Is 100% Correct.
3- The Hash Length Is In Fact 60.
4- Tried Password_Default And Password_Bcrypt
5- It Does Successfully Pull The Password Out Of The Database.


if(password_verify($answer,$secAnswer)){ } IS ALWAYS false.

Here is my Code.

  function anti_injection_login($sql, $formUse = true){
$sql = preg_replace("/(from|select|insert|delete|where|drop table|show tables|,|'|#|\*|--|\\\\)/i","",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
if(!$formUse || !get_magic_quotes_gpc())
  $sql = addslashes($sql);
return $sql;

  $email = anti_injection_login($_POST['email']);
  $answer = anti_injection_login($_POST['answer']);
  $queryAccount = mysqli_query($conn, "SELECT * FROM Accounts where email= '$email'");
  $count = mysqli_num_rows($queryAccount);
  if($count == 1){
     $rows = mysqli_fetch_array($queryAccount);
     $secAnswer = $rows['secretkey'];

         echo "Successful";
         echo "Try Again";

the anti_injection_login is just to stop people from injecting it. This is NOT the problem.
As no matter where I put an Echo with the $secAnswer and $answer it is always correct exactly as I would expect it to be.

Is there something I am missing guys? I am seriously stumped on this now.

(Yes this is the entire script). So I'm not leaving anything out. But as mentioned, it is successfully pulling the hash, (and is correct) according to the database version it's identical.

And the word I used for the hash is Identical (Tried both Upper case and Lowercase).

图片转代码服务由CSDN问答提供 功能建议

我没有轻轻地问这个问题因为我整个晚上都认真地超过了50个链接 让密码_verify()工作。

2-纯文本Verison 100%正确。
3-哈希 实际长度是60.

但是 p>

  if(password_verify($ answer,$ secAnswer)){}始终为false。

这是我的代码 。

  function anti_injection_login($ sql,$ formUse = true){
 $ sql = preg_replace(“/(from | select | insert | delete | where | drop table |  show tables |,|'|#| \ * |  -  | \\\\)/ i“,”“,$ sql); 
 $ sql = trim($ sql); 
 $ sql = strip_tags($  sql); 
if(!$ formUse ||!get_magic_quotes_gpc())
 $ sql = addslashes($ sql); 
return $ sql; 
 $ email = anti_injection_login($ _ POST ['  email']); 
 $ answer = anti_injection_login($ _ POST ['answer']  ); 
 $ queryAccount = mysqli_query($ conn,“SELECT * FROM Accounts where email ='$ email'”); 
 $ count = mysqli_num_rows($ queryAccount); 
 if($ count == 1){\  n $ rows = mysqli_fetch_array($ queryAccount); 
 $ secAnswer = $ rows ['secretkey']; 
 if(password_verify($ answer,$ secAnswer)){
} else  {

anti_injection_login只是为了阻止人们注入它。 这不是问题所在。
无论我在哪里放置一个带有 $ secAnswer和$ answer的Echo,它总是正如我预期的那样正确。

我有什么遗漏的东西吗? 伙计们? 我现在非常难过。

(是的,这是整个剧本)。 所以我不会遗漏任何东西。 但如上所述,它成功地根据数据库版本提取哈希值(并且是正确的)它是相同的。

我使用的单词 对于散列是相同的(尝试大写和小写)。

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • drcmue4619 2016-09-30 09:28

    The PHP Manual gives a very clear example:

    // See the password_hash() example to see where this came from.
    $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
    if (password_verify('rasmuslerdorf', $hash)) {
        echo 'Password is valid!';
    } else {
        echo 'Invalid password.';

    First of all, your password hash needs to be created by the password_hash() function when the user registers.

    At login, you then pass the password from the form into password_verify() along with the stored hash from the database.

    However, your code passes the form data through anti_injection_login() which is doing who-knows-what with any given input. You shouldn't need to sanitize the password if you're passing it straight into password_verify(). I highly recommend you use prepared statements to retrieve the hash from the database, and pass $_POST['answer'] straight into password_verify().

    解决 无用
    打赏 举报

相关推荐 更多相似问题