dongwei8440 2015-07-24 09:01 采纳率: 100%
浏览 52

无法实现password_verify

I'm in the process of implementing password_verify as part of a login page.

I've started with plaintext to test everything works, which it did, and then have gone through to hash passwords on registration page with password_hash and then add password_verify on the login page.

Passwords are being successfully hashed, which I've checked through PHPMyAdmin, but I can't get my code to work on the registration page to check them.

Below is the code on the login page relating to pulling the row and testing it:

   if (empty($error))//if the array is empty , it means no error found
{ 



    $query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";



    $result_check_credentials = mysqli_query($dbc, $query_check_credentials);
    if(!$result_check_credentials){//If the QUery Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull 
    { // A match was made.

        $row = mysqli_fetch_row($query_check_credentials);
        $password = $row[3];

        $verify = password_verify($_POST['Password', $password]);
        if ($verify) {

        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable

        header("Location: page.php");
        }

    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
    }

Column number 4 is the password in the DB and so in the array, password should be value 3 in the array.

I've spent time looking at examples of it being used but having no luck, any help appreciated!

Full PHP code

<?php



include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
// Initialize a session:
session_start();
$error = array();//this aaray will store all error messages


if (empty($_POST['e-mail'])) {//if the email supplied is empty 
    $error[] = 'You forgot to enter  your Email ';
} else {


    if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {

        $Email = $_POST['e-mail'];
    } else {
         $error[] = 'Your EMail Address is invalid  ';
    }


}


if (empty($_POST['Password'])) {
    $error[] = 'Please Enter Your Password ';
} else {
    $Password = $_POST['Password'];
}


   if (empty($error))//if the array is empty , it means no error found
{ 



    $query_check_credentials = "SELECT * FROM members WHERE (Email='$Email') AND Activation IS NULL";



    $result_check_credentials = mysqli_query($dbc, $query_check_credentials);
    if(!$result_check_credentials){//If the QUery Failed 
        echo 'Query Failed ';
    }

    if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull 
    { // A match was made.

        $row = mysqli_fetch_row($query_check_credentials);
        $password = $row[3];

        $verify = password_verify($_POST['Password', $password]);
        if ($verify) {

        $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);//Assign the result of this query to SESSION Global Variable

        header("Location: page.php");
        }

    }else
    { 

        $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
    }

}  else {



echo '<div class="errormsgbox"> <ol>';
    foreach ($error as $key => $values) {

        echo '  <li>'.$values.'</li>';



    }
    echo '</ol></div>';

}


if(isset($msg_error)){

    echo '<div class="warning">'.$msg_error.' </div>';
}
/// var_dump($error);
mysqli_close($dbc);

} // End of the main Submit conditional.



?>
  • 写回答

2条回答 默认 最新

  • doucang8303 2015-07-24 09:35
    关注

    I assume when you say "Row number 4 is the password in the DB" you are in fact referring to a column rather than a row? Why also can you not refer to the actual fieldname in the results rather than a column index? That said, my guess is that the POSTed data has been urlencoded and possibly contains spurious blank spaces so I suggest trimming and url decoding POSTed data prior to the verification test. Try echoing the values to see what data you are actually getting.

    <?php
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {

    session_start();
    $error = array();


    if (empty($_POST['e-mail'])) {
        $error[] = 'You forgot to enter  your Email ';
    } else {
        if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['e-mail'])) {
            $Email = $_POST['e-mail'];
        } else {
             $error[] = 'Your EMail Address is invalid  ';
        }
    }


    if (empty($_POST['Password'])) {
        $error[] = 'Please Enter Your Password ';
    } else {
        $Password = $_POST['Password'];
    }


    if ( empty( $error ) ){ 
        $query_check_credentials = "SELECT * FROM `members` WHERE `Email`='$Email' AND `Activation` IS NULL";



        $result_check_credentials = mysqli_query( $dbc, $query_check_credentials );
        if( !$result_check_credentials ){
            echo 'Query Failed ';
        }

        if (@mysqli_num_rows($result_check_credentials) == 1){

            $row = mysqli_fetch_row( $query_check_credentials );

            /* is $row[3] definitely fetching the correct value from the db? */
            $password = trim( $row[3] );

            /* What does password_verify actually do? I guess it's a simple test using === ? */
            $verify = password_verify( trim( urldecode( $_POST['Password'] ) ), $password );

            /*
                $verify = trim( urldecode( $_POST['Password'] ) ) === $password ? true : false;
            */
            echo 'Do they match?<br />' . trim( urldecode( $_POST['Password'] ) ) . '<br />' . $password;



            if ( $verify ) {

                /* ? perhaps a session variable name here ? $_SESSION['dbresults'] */
                $_SESSION = mysqli_fetch_array( $result_check_credentials, MYSQLI_ASSOC );

                header("Location: page.php");
            }
        }else { 
            $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
        }

    }  else {



    echo '<div class="errormsgbox"> <ol>';
        foreach ($error as $key => $values) {
            echo '<li>'.$values.'</li>';
        }
        echo '</ol></div>';

    }


    if(isset($msg_error)){
        echo '<div class="warning">'.$msg_error.' </div>';
    }
    /// var_dump($error);
    mysqli_close($dbc);

} // End of the main Submit conditional.



?>
    评论

报告相同问题?

悬赏问题

  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥30 BC260Y用MQTT向阿里云发布主题消息一直错误
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)