douhuan1905
2014-06-25 18:06
浏览 56
已采纳

密码哈希返回false

So I have a simple login script, but when I started encrypting passwords and using password_verify I seem to get the same result all the time, false. Here's my login script

<?php

session_start();

$host = "localhost";
$user = "root";
$pass = "root";
$dbname = "users";

try{
        $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);    
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
    echo $e->getMessage();
}
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8');


 $st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass");
 $st->bindValue(':email', $email, PDO::PARAM_STR);
$st->bindValue(':pass', $pass, PDO::PARAM_STR);
$st->execute();

$rows = $st->fetch(PDO::FETCH_NUM);

if($email === ''){
$_SESSION['message1'] = 'Enter a valid email';
header('Location: index.php');
exit();
}
elseif($pass === ''){
$_SESSION['message1'] = 'Enter a valid password';
header('Location: index.php');
exit();
}
elseif($rows > 0){
    $_SESSION['loggedin'] = true;
$hash = $con->prepare("SELECT password FROM users WHERE email = :email");
$hash->bindValue(':email', $email);
$hash->execute();

}
elseif(password_verify($pass, $hash)){
    $name = $con->prepare("SELECT name FROM users WHERE email = :email");
    $name->bindValue(':email', $email, PDO::PARAM_STR);
    $name->execute();
    $rows = $name->fetchAll(PDO::FETCH_ASSOC);
    foreach ($rows as $row) {
         $_SESSION['name'] = $row['name'];
    }
    header('Location: profile.php');
     }
else{
    $_SESSION['message1'] = 'Make sure email and password are correct';
    header('Location: index.php');
    exit();
}
 ?>

Also here's how I'm encrypting

    $passh = password_hash($pass, PASSWORD_DEFAULT)."
";
    $db = $con->prepare("INSERT INTO users (name, email, password) VALUES (:name, :email, :passh)");
    $db->bindValue(':name', $name, PDO::PARAM_STR);
    $db->bindValue(':email', $email, PDO::PARAM_STR);
    $db->bindValue(':passh', $passh, PDO::PARAM_STR);
    $db->execute();
    $_SESSION['name'] = $name;
    $_SESSION['email'] = $email;
    $_SESSION['loggedin'] = true;
    header('Location: profile.php');
    exit();

Error reporting is enabled, but for some reason its still not working and simply displays Make sure email and password are correct, which come from the next else statement. Any ideas? I'm fairly new. Also any security tips would be great. Thanks in advance.

UPDATED CODE

    <?php

session_start();

$host = "localhost";
$user = "root";
$passw = "root";
$dbname = "users";

try{
    $con = new PDO("mysql:host=$host;dbname=$dbname", $user, $passw);   
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
    echo $e->getMessage();
}
$email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
$pass = htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8');



$hash = $con->prepare("SELECT password FROM users WHERE email = :email");
$hash->bindValue(':email', $email);
$hash->execute();
$rows1 = $hash->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows1 as $row1) {
     $_SESSION['hash'] = $row1['hash'];
     }



$st = $con->prepare("SELECT * FROM users WHERE email = :email AND password = :pass");
$st->bindValue(':email', $email, PDO::PARAM_STR);
$st->bindValue(':pass', $pass, PDO::PARAM_STR);
$st->execute();

$rows = $st->fetch(PDO::FETCH_NUM);

if($email === ''){
    $_SESSION['message1'] = 'Enter a valid email';
    header('Location: index.php');
    exit();
}
elseif($pass === ''){
    $_SESSION['message1'] = 'Enter a valid password';
    header('Location: index.php');
    exit();
}
elseif($rows > 0 || password_verify($pass, $hash) ){
    $_SESSION['loggedin'] = true;
    $name = $con->prepare("SELECT name FROM users WHERE email = :email");
    $name->bindValue(':email', $email, PDO::PARAM_STR);
    $name->execute();
    $rows = $name->fetchAll(PDO::FETCH_ASSOC);
    foreach ($rows as $row) {
         $_SESSION['name'] = $row['name'];
    }
    header('Location: profile.php');
    }
else{
    $_SESSION['message1'] = 'Make sure email and password are correct';
    header('Location: index.php');
    exit();
}
?>
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongzhao5970 2014-06-25 19:13
    已采纳

    Look at your query one more time:

    SELECT password FROM users WHERE email = :email
    

    You are selecting the column password,

    when you fetch the row you are using the field hash

    $_SESSION['hash'] = $row1['hash'];
    

    Unlike you think, your script is not simple at all, you are performing 3 queries on the same record, try this approach

    $email = $_POST['email'];
    $pass = $_POST['password'];
    
    if($email === ''){
        $_SESSION['message1'] = 'Enter a valid email';
        header('Location: index.php');
        exit();
    }
    
    if($pass === ''){
        $_SESSION['message1'] = 'Enter a valid password';
        header('Location: index.php');
        exit();
    }
    
    $query = 'SELECT name, email, password 
              FROM users 
              WHERE email = :email LIMIT 1';
    
    
    $stmt = $con->prepare($query);
    $stmt->bindValue(':email', $email);
    $stmt->execute();
    $row = $stmt->fetch(PDO::FETCH_ASSOC);
    
    if(!$row){
        $_SESSION['message1'] = 'User does not exist';
        header('Location: index.php');
        exit();
    }
    
    //hashed password from Database
    $hash = $row['password'];
    
    if(password_verify($pass, $hash)){
        $_SESSION['hash'] = $row['password'];
        $_SESSION['name'] = $row['name'];
        $_SESSION['email'] = $row['email'];
        header('Location: profile.php');
    }else{
        $_SESSION['message1'] = 'Make sure email and password are correct';
        header('Location: index.php');
        exit();
    }
    
    打赏 评论

相关推荐 更多相似问题