dsxon40042 2018-01-29 04:36
浏览 99
已采纳

登录时如何检查Password_Verify哈希?

I have it where when a user creates a new account it will hash their password and store the hashed password into my database. I was using MD5 for just coding and working, but I'm wanting to hash passwords now. The registration is hashed but I have looked around on different sites but haven't found a way to hash my logins.

Heres my Registration: 

// REGISTER USER
function register(){
    global $db, $errors;

    // receive all input values from the form
    $username    =  e($_POST['username']);
    $email       =  e($_POST['email']);
    $password_1  =  e($_POST['password_1']);
    $password_2  =  e($_POST['password_2']);
    $ipaddress =   $_SERVER['REMOTE_ADDR'];

    // form validation: ensure that the form is correctly filled
    if (empty($username)) { 
        array_push($errors, "Username is required"); 
    }
    if (empty($email)) { 
        array_push($errors, "Email is required"); 
    }
    if (empty($password_1)) { 
        array_push($errors, "Password is required"); 
    }
    if ($password_1 != $password_2) {
        array_push($errors, "The two passwords do not match");
    }

    // register user if there are no errors in the form
    if (count($errors) == 0) {
        //$password = md5($password_1);//encrypt the password before saving in the database
            $hashPassword = password_hash($password1,PASSWORD_BCRYPT);

        if (isset($_POST['user_type'])) {
            $user_type = e($_POST['user_type']);
            $query = "INSERT INTO users (username, email, user_type, password, registered_ipaddress) 
                      VALUES('$username', '$email', '$user_type', '$hashPassword', '$ipaddress')";
            mysqli_query($db, $query);
            $_SESSION['success']  = "New user successfully created!!";
            header('location: index.php');
        }else{
            $query = "INSERT INTO users (username, email, user_type, password, registered_ipaddress) 
                      VALUES('$username', '$email', 'user', '$hashPassword','$ipaddress')";
            mysqli_query($db, $query);

            // get id of the created user
            $logged_in_user_id = mysqli_insert_id($db);

            $_SESSION['user'] = getUserById($logged_in_user_id); // put logged in user in session
            $_SESSION['success']  = "You are now logged in";
            header('location: index.php');              
        }

    }

}

Heres the Login: 

// LOGIN USER
    function login(){
        global $db, $username, $errors;

        // grap form values
        $username = e($_POST['username']);
        $password = e($_POST['password']);

        // make sure form is filled properly
        if (empty($username)) {
            array_push($errors, "Username is required");
        }
        if (empty($password)) {
            array_push($errors, "Password is required");
        }
        // attempt login if no errors on form
        if (count($errors) == 0) {
            $password = ($password);


            $query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
            $results = mysqli_query($db, $query);

            if (mysqli_num_rows($results) == 1) { // user found
                // check if user is admin or user
                $logged_in_user = mysqli_fetch_assoc($results);
                if ($logged_in_user['user_type'] == 'admin') {

                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";
                    header('location: admin/index.php');          
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "You are now logged in";

                    header('location: index.php');
                }
            }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }

This is What I've Tried when trying to see if the password is correct, but it still doesn't log me in: 

// attempt login if no errors on form
        if (count($errors) == 0) {
            $password = ($password);


        $passwordunlocked = (password_verify($password, $hashPassword));

            $query = "SELECT * FROM users WHERE username='$username' AND password='$passwordunlocked' LIMIT 1";
            $results = mysqli_query($db, $query);

            if (mysqli_num_rows($results) == 1) { // user found
                // check if user is admin or user

Any Ideas on How I can verify the hash of the password that is stored in my database? Thank You In Advance!

  • 写回答

3条回答 默认 最新

  • douhua1760 2018-01-29 07:43
    关注

    Your code is vulnerable to SQL-Injection

    Please use Prepared Statements instead of inserting your variables directly into your database queries.

    Your login query is faulty. You can't select the user from database with the password he entered, because you saved the hash in the database, not the plaintext-password. So the query will never return any result.

    Try this instead in your login:

    $query = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$results = mysqli_query($db, $query);

if (mysqli_num_rows($results) == 1) { // user found
$logged_in_user = mysqli_fetch_assoc($results);

  // check if entered password matches hash from database
  if(password_verify($password, $logged_in_user['password'])) {

    // check if user is admin or user         
    if ($logged_in_user['user_type'] == 'admin') {

    Also, your third part of code ($passwordunlocked) won't work, because password_verify() returns a boolean (true/false), not any comparable hash.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 如何提取csv文件中需要的列,将其整合为一篇完整文档,并进行jieba分词(语言-python)
  • ¥15 MapReduce结果输出到HBase,一直连接不上MySQL
  • ¥15 扩散模型sd.webui使用时报错“Nonetype”
  • ¥15 stm32流水灯+呼吸灯+外部中断按键
  • ¥15 将二维数组,按照假设的规定,如0/1/0 == "4",把对应列位置写成一个字符并打印输出该字符
  • ¥15 NX MCD仿真与博途通讯不了啥情况
  • ¥15 win11家庭中文版安装docker遇到Hyper-V启用失败解决办法整理
  • ¥15 gradio的web端页面格式不对的问题
  • ¥15 求大家看看Nonce如何配置
  • ¥15 Matlab怎么求解含参的二重积分?