douchen4534 2017-04-28 12:24
浏览 130
已采纳

password_verify不返回true / false

I have a problem with trying to login using the saved hash from my database, I save my password the following way, which works fine:

adduser($conn, '3', $username, $password);

This calls the following function: 

  function adduser ($conn, $level, $username, $password)
  {
  $password = mysqli_real_escape_string($conn, $password);
  $password = mysqli_real_escape_string($conn, $username);
  $password = password_hash($password, PASSWORD_BCRYPT);
  $user = "INSERT INTO users (level, username, password)
  VALUES ('$level', '$username', '$password')";
  mysqli_query($conn, $user) or die (mysqli_error($conn));
  }

My password field is a CHAR(60) so the stored password hash should be the right size.

When I try to login I call this function:

if (login($conn, $username, $password) === true){

}

Which exists here:

  function login ($conn, $username, $password)
  {
$password = mysqli_real_escape_string($conn, $password);
$username = mysqli_real_escape_string($conn, $username);
$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$hash = $row["password"];
$verify = password_verify($password, $hash);
if ($verify)
  {
    return true;
  }
  else
  {
    return false;
  }
  }

My issue is that it never returns true or false, which makes it impossible for me to login...

Extra: It succesfully post to database

I also tried running this, which succesfully posted the data from my database

$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
echo $row["password"];

Update

Doing this: 

echo '<br/>';
echo $hash;
echo '<br/>';
echo $password;

Gives me the following output:

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
hej

Which matches the password in my database

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
  • 写回答

1条回答 默认 最新

  • doubi1797 2017-04-28 13:07
    关注

    After testing your entire code, I have come to the following conclusion.

    The problem here is that you are escaping the password while inserting it into your database, which is something I did raise in comments from the beginning.

    "side note: you shouldn't escape a password/hash function, passwords such as 123'\abc< are perfectly valid and will be modified on insertion."

    $password = mysqli_real_escape_string($conn, $username);

    Side note for ^ - Consult Edit #2 below, near "However...":

    Simply don't use it, just keep/use the assignment normally.

    Both password_hash() and password_verify() do their job, so there's no need to escape passwords.

    You will need to remove it from the code that you used to insert it into the database with, and start over again with a new set of hashes.

    That escaping function is most likely adding a character during insertion.

    Side note: Just for the record, my password column is VARCHAR, yet that shoulnd't be a difference from your CHAR (Edit: consult footnote). If it is then ALTER your column to be VARCHAR.

    The manual on password_hash() though, suggests using 255 for a length, being a good bet.

    Edit footnote:

    As per a comment I posted beneath my answer.

    It looks to have a difference. This Q&A What's the difference between VARCHAR and CHAR? shows it, as per the accepted answer

    VARCHAR is variable-length.

    CHAR is fixed length.

    Edit #2:

    After further testing to see if it made a difference by ALTER'ing the password column from VARCHAR(255) to CHAR(60) made a difference; it did not.

    Tests performed:

    • Inserted a new hash without the escaping function and verifying: TRUE.
    • Inserted a new hash with the escaping function and verifying: FALSE.

    Therefore and as I stated originally; the fault lies with the use of mysqli_real_escape_string().

    However and going over your code again, this line:

    $password = mysqli_real_escape_string($conn, $username);

    You were using the $username variable here which also accounts for the wrong value being inserted in the database. All of these put together were the problems from the get go.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 #MATLAB仿真#车辆换道路径规划
  • ¥15 java 操作 elasticsearch 8.1 实现 索引的重建
  • ¥15 数据可视化Python
  • ¥15 要给毕业设计添加扫码登录的功能!!有偿
  • ¥15 kafka 分区副本增加会导致消息丢失或者不可用吗?
  • ¥15 微信公众号自制会员卡没有收款渠道啊
  • ¥100 Jenkins自动化部署—悬赏100元
  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘