密码哈希返回false

So I have a simple login script, but when I started encrypting passwords and using password_verify I seem to get the same result all the time, false. Here's my login script

<?php

session_start();

$host = "localhost";
$user = "root";
$pass = "root";
$dbname = "users";

try{
        $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);    
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
    echo $e->getMessage();
}
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8');


 $st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass");
 $st->bindValue(':email', $email, PDO::PARAM_STR);
$st->bindValue(':pass', $pass, PDO::PARAM_STR);
$st->execute();

$rows = $st->fetch(PDO::FETCH_NUM);

if($email === ''){
$_SESSION['message1'] = 'Enter a valid email';
header('Location: index.php');
exit();
}
elseif($pass === ''){
$_SESSION['message1'] = 'Enter a valid password';
header('Location: index.php');
exit();
}
elseif($rows > 0){
    $_SESSION['loggedin'] = true;
$hash = $con->prepare("SELECT password FROM users WHERE email = :email");
$hash->bindValue(':email', $email);
$hash->execute();

}
elseif(password_verify($pass, $hash)){
    $name = $con->prepare("SELECT name FROM users WHERE email = :email");
    $name->bindValue(':email', $email, PDO::PARAM_STR);
    $name->execute();
    $rows = $name->fetchAll(PDO::FETCH_ASSOC);
    foreach ($rows as $row) {
         $_SESSION['name'] = $row['name'];
    }
    header('Location: profile.php');
     }
else{
    $_SESSION['message1'] = 'Make sure email and password are correct';
    header('Location: index.php');
    exit();
}
 ?>

Also here's how I'm encrypting

    $passh = password_hash($pass, PASSWORD_DEFAULT)."
";
    $db = $con->prepare("INSERT INTO users (name, email, password) VALUES (:name, :email, :passh)");
    $db->bindValue(':name', $name, PDO::PARAM_STR);
    $db->bindValue(':email', $email, PDO::PARAM_STR);
    $db->bindValue(':passh', $passh, PDO::PARAM_STR);
    $db->execute();
    $_SESSION['name'] = $name;
    $_SESSION['email'] = $email;
    $_SESSION['loggedin'] = true;
    header('Location: profile.php');
    exit();

Error reporting is enabled, but for some reason its still not working and simply displays Make sure email and password are correct, which come from the next else statement. Any ideas? I'm fairly new. Also any security tips would be great. Thanks in advance.

UPDATED CODE

    <?php

session_start();

$host = "localhost";
$user = "root";
$passw = "root";
$dbname = "users";

try{
    $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $passw);   
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
    echo $e->getMessage();
}
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8');



$hash = $con->prepare("SELECT password FROM users WHERE email = :email");
$hash->bindValue(':email', $email);
$hash->execute();
$rows1 = $hash->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows1 as $row1) {
     $_SESSION['hash'] = $row1['hash'];
     }



$st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass");
$st->bindValue(':email', $email, PDO::PARAM_STR);
$st->bindValue(':pass', $pass, PDO::PARAM_STR);
$st->execute();

$rows = $st->fetch(PDO::FETCH_NUM);

if($email === ''){
    $_SESSION['message1'] = 'Enter a valid email';
    header('Location: index.php');
    exit();
}
elseif($pass === ''){
    $_SESSION['message1'] = 'Enter a valid password';
    header('Location: index.php');
    exit();
}
elseif($rows > 0 || password_verify($pass, $hash) ){
    $_SESSION['loggedin'] = true;
    $name = $con->prepare("SELECT name FROM users WHERE email = :email");
    $name->bindValue(':email', $email, PDO::PARAM_STR);
    $name->execute();
    $rows = $name->fetchAll(PDO::FETCH_ASSOC);
    foreach ($rows as $row) {
         $_SESSION['name'] = $row['name'];
    }
    header('Location: profile.php');
    }
else{
    $_SESSION['message1'] = 'Make sure email and password are correct';
    header('Location: index.php');
    exit();
}
?>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

dongzhao5970 2014-06-25 19:13

关注

Look at your query one more time:

SELECT password FROM users WHERE email = :email

You are selecting the column password,

when you fetch the row you are using the field hash

$_SESSION['hash'] = $row1['hash'];

Unlike you think, your script is not simple at all, you are performing 3 queries on the same record, try this approach

$email = $_POST['email'];
$pass = $_POST['password'];

if($email === ''){
    $_SESSION['message1'] = 'Enter a valid email';
    header('Location: index.php');
    exit();
}

if($pass === ''){
    $_SESSION['message1'] = 'Enter a valid password';
    header('Location: index.php');
    exit();
}

$query = 'SELECT name, email, password 
          FROM users 
          WHERE email = :email LIMIT 1';


$stmt = $con->prepare($query);
$stmt->bindValue(':email', $email);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);

if(!$row){
    $_SESSION['message1'] = 'User does not exist';
    header('Location: index.php');
    exit();
}

//hashed password from Database
$hash = $row['password'];

if(password_verify($pass, $hash)){
    $_SESSION['hash'] = $row['password'];
    $_SESSION['name'] = $row['name'];
    $_SESSION['email'] = $row['email'];
    header('Location: profile.php');
}else{
    $_SESSION['message1'] = 'Make sure email and password are correct';
    header('Location: index.php');
    exit();
}

本回答被题主选为最佳回答 , 对您是否有帮助呢?

报告相同问题？

关注问题

密码哈希返回false mysql php
2014-06-25 18:06

回答 1 已采纳 Look at your query one more time: SELECT password FROM users WHERE email = :email You are selec
测试参数是否为可哈希对象 python 哈希算法
2023-01-29 17:14

回答 2 已采纳那可以使用__hash__特殊方法吗，像这样： def main(obj): return obj.__hash__ is not None 不能用内置函数hash……不知道这个可不可以
Php - 密码哈希 php
2015-10-25 23:58

回答 1 已采纳 It's hard to understand what you're asking, but I bet you want to hash the value of $password befo
大数据常用命令
2022-10-19 18:07

Tonystark_sunshine的博客 大数据常用命令
简单但安全的密码哈希 php
2014-06-25 22:24

回答 4 已采纳 With password_hash() you are on the right track. For PHP versions 5.3.7 - 5.5 you can use the comp
关于哈希算法的一点疑问 git 哈希算法算法
2022-01-08 16:39

回答 2 已采纳一份哈希加密后的数值如果反向解密，结果不止一个。这就是哈希的不可逆。一个简单的数学栗子，y=x^2，给一个x可以确定一个y，但是给定一个y就不能确定唯一的x。
使用bcrypt哈希密码迁移系统 laravel node.js php
2016-08-05 04:20

回答 2 已采纳 Are you asking if the hashed password data (stored on the server, for example) can be used in anot
大数据技术之Hive
2023-03-18 18:18

DK_521的博客第1章Hive基本概念 1.1 Hive 1.1.1 Hive的产生背景在那一年的大数据开源社区，我们有了HDFS来存储海量数据、MapReduce来对海量数据进行分布式并行计算、Yarn来实现资源管理和作业调度。但是面对海量数据和负责的...
密码哈希PHP 7 [关闭] php
2017-02-08 18:11

回答 1 已采纳 You should never encrypt passwords, you should only hash them. Encryption implies that you can dec
使用php生成密码哈希 php
2015-03-10 19:13

回答 1 已采纳 There's a lot of hate in the OP's comments. But it's misdirected - OP is not trying to decode anyt
哈希表的拉链法创建及操作 c++ 哈希算法散列表
2022-12-24 13:03

回答 1 已采纳修改字符集设置，使用多字节就可以了
大数据入门知识总结
2021-05-26 20:42

长不大的大灰狼的博客 大数据入门知识总结 1、大数据处理流程 2、数据仓库数据仓库面向分析，平时的Mysql数据库主要面向业务。数据仓库是一个很大的数据存储集合，出于企业的分析性报告和决策支持目的而创建的，对多样的业务数据进行...
禁用特定用户的密码哈希 php
2015-06-12 11:09

回答 2 已采纳 As has been pointed out serveral times to you in the comments you should never store passwords as
大数据 ETL 处理工具之 Kettle
2023-05-05 16:11

煜9527的博客 大数据 ETL 处理工具之 Kettle
大数据之Hive简介第一部分
2023-03-10 18:01

梦回pq的博客 Hive 通过给用户提供的一系列交互接口，接收到用户的指令(SQL)，使用自己的 Driver，结合元数据(MetaStore)，将这些指令翻译成 MapReduce作业，提交到Hadoop中执行，最后，将执行返回的结果输出到用户交互接口。...
没有解决我的问题, 去提问

悬赏问题

¥15 素材场景中光线烘焙后灯光失效
¥15 请教一下各位，为什么我这个没有实现模拟点击
¥15 执行 virtuoso 命令后，界面没有，cadence 启动不起来
¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
¥20 有关区间dp的问题求解
¥15 多电路系统共用电源的串扰问题
¥15 slam rangenet++配置
¥15 有没有研究水声通信方面的帮我改俩matlab代码
¥15 ubuntu子系统密码忘记
¥15 保护模式-系统加载-段寄存器

码龄粉丝数原力等级 --

密码哈希返回false

1条回答默认最新

码龄粉丝数原力等级 --

悬赏问题

密码哈希返回false

1条回答 默认 最新

悬赏问题

1条回答默认最新