douchen4534 2017-04-28 12:24
浏览 130
已采纳

password_verify不返回true / false

I have a problem with trying to login using the saved hash from my database, I save my password the following way, which works fine:

adduser($conn, '3', $username, $password);

This calls the following function: 

  function adduser ($conn, $level, $username, $password)
  {
  $password = mysqli_real_escape_string($conn, $password);
  $password = mysqli_real_escape_string($conn, $username);
  $password = password_hash($password, PASSWORD_BCRYPT);
  $user = "INSERT INTO users (level, username, password)
  VALUES ('$level', '$username', '$password')";
  mysqli_query($conn, $user) or die (mysqli_error($conn));
  }

My password field is a CHAR(60) so the stored password hash should be the right size.

When I try to login I call this function:

if (login($conn, $username, $password) === true){

}

Which exists here:

  function login ($conn, $username, $password)
  {
$password = mysqli_real_escape_string($conn, $password);
$username = mysqli_real_escape_string($conn, $username);
$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$hash = $row["password"];
$verify = password_verify($password, $hash);
if ($verify)
  {
    return true;
  }
  else
  {
    return false;
  }
  }

My issue is that it never returns true or false, which makes it impossible for me to login...

Extra: It succesfully post to database

I also tried running this, which succesfully posted the data from my database

$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
echo $row["password"];

Update

Doing this: 

echo '<br/>';
echo $hash;
echo '<br/>';
echo $password;

Gives me the following output:

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
hej

Which matches the password in my database

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
  • 写回答

1条回答 默认 最新

  • doubi1797 2017-04-28 13:07
    关注

    After testing your entire code, I have come to the following conclusion.

    The problem here is that you are escaping the password while inserting it into your database, which is something I did raise in comments from the beginning.

    "side note: you shouldn't escape a password/hash function, passwords such as 123'\abc< are perfectly valid and will be modified on insertion."

    $password = mysqli_real_escape_string($conn, $username);

    Side note for ^ - Consult Edit #2 below, near "However...":

    Simply don't use it, just keep/use the assignment normally.

    Both password_hash() and password_verify() do their job, so there's no need to escape passwords.

    You will need to remove it from the code that you used to insert it into the database with, and start over again with a new set of hashes.

    That escaping function is most likely adding a character during insertion.

    Side note: Just for the record, my password column is VARCHAR, yet that shoulnd't be a difference from your CHAR (Edit: consult footnote). If it is then ALTER your column to be VARCHAR.

    The manual on password_hash() though, suggests using 255 for a length, being a good bet.

    Edit footnote:

    As per a comment I posted beneath my answer.

    It looks to have a difference. This Q&A What's the difference between VARCHAR and CHAR? shows it, as per the accepted answer

    VARCHAR is variable-length.

    CHAR is fixed length.

    Edit #2:

    After further testing to see if it made a difference by ALTER'ing the password column from VARCHAR(255) to CHAR(60) made a difference; it did not.

    Tests performed:

    • Inserted a new hash without the escaping function and verifying: TRUE.
    • Inserted a new hash with the escaping function and verifying: FALSE.

    Therefore and as I stated originally; the fault lies with the use of mysqli_real_escape_string().

    However and going over your code again, this line:

    $password = mysqli_real_escape_string($conn, $username);

    You were using the $username variable here which also accounts for the wrong value being inserted in the database. All of these put together were the problems from the get go.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化
  • ¥15 Mirare PLUS 进行密钥认证?(详解)
  • ¥15 物体双站RCS和其组成阵列后的双站RCS关系验证
  • ¥20 想用ollama做一个自己的AI数据库
  • ¥15 关于qualoth编辑及缝合服装领子的问题解决方案探寻
  • ¥15 请问怎么才能复现这样的图呀