dsxon40042 2018-01-29 04:36
浏览 99
已采纳

登录时如何检查Password_Verify哈希?

I have it where when a user creates a new account it will hash their password and store the hashed password into my database. I was using MD5 for just coding and working, but I'm wanting to hash passwords now. The registration is hashed but I have looked around on different sites but haven't found a way to hash my logins.

Heres my Registration: 

// REGISTER USER
function register(){
    global $db, $errors;

    // receive all input values from the form
    $username    =  e($_POST['username']);
    $email       =  e($_POST['email']);
    $password_1  =  e($_POST['password_1']);
    $password_2  =  e($_POST['password_2']);
    $ipaddress =   $_SERVER['REMOTE_ADDR'];

    // form validation: ensure that the form is correctly filled
    if (empty($username)) { 
        array_push($errors, "Username is required"); 
    }
    if (empty($email)) { 
        array_push($errors, "Email is required"); 
    }
    if (empty($password_1)) { 
        array_push($errors, "Password is required"); 
    }
    if ($password_1 != $password_2) {
        array_push($errors, "The two passwords do not match");
    }

    // register user if there are no errors in the form
    if (count($errors) == 0) {
        //$password = md5($password_1);//encrypt the password before saving in the database
            $hashPassword = password_hash($password1,PASSWORD_BCRYPT);

        if (isset($_POST['user_type'])) {
            $user_type = e($_POST['user_type']);
            $query = "INSERT INTO users (username, email, user_type, password, registered_ipaddress) 
                      VALUES('$username', '$email', '$user_type', '$hashPassword', '$ipaddress')";
            mysqli_query($db, $query);
            $_SESSION['success']  = "New user successfully created!!";
            header('location: index.php');
        }else{
            $query = "INSERT INTO users (username, email, user_type, password, registered_ipaddress) 
                      VALUES('$username', '$email', 'user', '$hashPassword','$ipaddress')";
            mysqli_query($db, $query);

            // get id of the created user
            $logged_in_user_id = mysqli_insert_id($db);

            $_SESSION['user'] = getUserById($logged_in_user_id); // put logged in user in session
            $_SESSION['success']  = "You are now logged in";
            header('location: index.php');              
        }

    }

}

Heres the Login: 

// LOGIN USER
    function login(){
        global $db, $username, $errors;

        // grap form values
        $username = e($_POST['username']);
        $password = e($_POST['password']);

        // make sure form is filled properly
        if (empty($username)) {
            array_push($errors, "Username is required");
        }
        if (empty($password)) {
            array_push($errors, "Password is required");
        }
        // attempt login if no errors on form
        if (count($errors) == 0) {
            $password = ($password);


            $query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
            $results = mysqli_query($db, $query);

            if (mysqli_num_rows($results) == 1) { // user found
                // check if user is admin or user
                $logged_in_user = mysqli_fetch_assoc($results);
                if ($logged_in_user['user_type'] == 'admin') {

                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";
                    header('location: admin/index.php');          
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";

                    header('location: index.php');
                }
            }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }

This is What I've Tried when trying to see if the password is correct, but it still doesn't log me in: 

// attempt login if no errors on form
        if (count($errors) == 0) {
            $password = ($password);


        $passwordunlocked = (password_verify($password, $hashPassword));

            $query = "SELECT * FROM users WHERE username='$username' AND password='$passwordunlocked' LIMIT 1";
            $results = mysqli_query($db, $query);

            if (mysqli_num_rows($results) == 1) { // user found
                // check if user is admin or user

Any Ideas on How I can verify the hash of the password that is stored in my database? Thank You In Advance!

  • 写回答

3条回答 默认 最新

  • douhua1760 2018-01-29 07:43
    关注

    Your code is vulnerable to SQL-Injection

    Please use Prepared Statements instead of inserting your variables directly into your database queries.

    Your login query is faulty. You can't select the user from database with the password he entered, because you saved the hash in the database, not the plaintext-password. So the query will never return any result.

    Try this instead in your login:

    $query = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$results = mysqli_query($db, $query);

if (mysqli_num_rows($results) == 1) { // user found
$logged_in_user = mysqli_fetch_assoc($results);

  // check if entered password matches hash from database
  if(password_verify($password, $logged_in_user['password'])) {

    // check if user is admin or user         
    if ($logged_in_user['user_type'] == 'admin') {

    Also, your third part of code ($passwordunlocked) won't work, because password_verify() returns a boolean (true/false), not any comparable hash.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?