PHP password_verify对数据库不起作用 [英] PHP password_verify not working against database

问题描述

我试图为我提供一个更加安全的页面，我从页面的密码加密部分开始.我正在尝试实现password_hash +密码验证，但是到目前为止，我仍然无法使整个过程正常进行.所以，这是在我的登录区域:

$username = mysqli_real_escape_string($connection, $_POST['username']);

$password = mysqli_real_escape_string($connection, $_POST['password']);

$query = "SELECT username, password FROM `users` WHERE username='$username' and user_enabled='1'";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
if($row = mysqli_fetch_assoc($result)) { $dbpassword = $row['password']; }

if(password_verify($password, $dbpassword)) {
    echo "Successful login";
}else{
    echo "Invalid Login Credentials.";
}

我总是收到无效的登录凭据.

当我修改用户的新密码时，我正在执行以下操作:

$pass = mysqli_real_escape_string($connection, $_POST['password']);
$options = [ 'cost' => 10,
             'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
           ];
$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";

$query = "UPDATE users 
          SET `password` = '".$password."'
          WHERE id = ".$_POST['user_id']."
          ";

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));

数据库中的

密码是VARCHAR(255)，它存储的内容如下:

$2y$10$Y5HIyAsLMfkXIFSJONPsfO3Gxx3b46H.8/WFdLVH3Fqk2XNfy2Uaq

我在做什么错了?

解决方案

下一行中的\n嵌入了一个换行符(用户输入的密码中不能包含的换行符).

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";

，您需要将其删除并以新的哈希值重新开始.

Jay Blanchard ，这是Stack

人们使用连接的换行符存储哈希，因此password_verify()将失败.

另一种选择是使用 trim() ； (在散列时)也可以.

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";
$password = trim($password);
// Store in db after

但是，您仍然需要清除旧的哈希并创建新的哈希来重新开始.

但是请记住，不要逃避密码.

诸如123'\abc(完全有效)之类的内容将由123\'\abc ="nofollow noreferrer"> real_escape_string() ;不需要 password_verify() 会在安全方面负责这一点.

I'm trying to me a page more secure and I started with the password encrypting part of it. I'm trying to implement password_hash + password verify, but so far I've been unsuccessful to make the whole thing work. So, here it is in my login area:

$username = mysqli_real_escape_string($connection, $_POST['username']);

$password = mysqli_real_escape_string($connection, $_POST['password']);

$query = "SELECT username, password FROM `users` WHERE username='$username' and user_enabled='1'";
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
if($row = mysqli_fetch_assoc($result)) { $dbpassword = $row['password']; }

if(password_verify($password, $dbpassword)) {
    echo "Successful login";
}else{
    echo "Invalid Login Credentials.";
}

I always get Invalid Login Credentials.

When I modify the new password for the user, I am doing the following:

$pass = mysqli_real_escape_string($connection, $_POST['password']);
$options = [ 'cost' => 10,
             'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
           ];
$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";

$query = "UPDATE users 
          SET `password` = '".$password."'
          WHERE id = ".$_POST['user_id']."
          ";

$result = mysqli_query($connection, $query) or die(mysqli_error($connection));

password in database is VARCHAR(255), and it is storing something like:

$2y$10$Y5HIyAsLMfkXIFSJONPsfO3Gxx3b46H.8/WFdLVH3Fqk2XNfy2Uaq

What am I doing wrong here?

解决方案

The \n in the following line, is embedding a linebreak, (Edit: one that cannot be included in the user inputted password).

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";

and you need to delete it and start over with a new hash.

Jay Blanchard, a member here on Stack submitted a note about it not too long also in the password_hash() manual, which is something that he and I actually talked about.

Be care when using the example from the documentation which concatenates a newline character \n to the end of the hash, i.e.:

echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";

People are storing the hash with the concatenated newline and consequently password_verify() will fail.

Another option would be to use trim(); that also works (at the moment of hashing).

$password = password_hash($pass,  PASSWORD_BCRYPT, $options)."\n";
$password = trim($password);
// Store in db after

Yet you still need to start over by clearing the old hash(es) and creating new ones.

Do keep in mind though, that you shouldn't escape passwords.

One such as 123'\abc (being perfectly valid) will be modified to 123\'\abc by real_escape_string(); it's not needed. password_verify() takes care of that, security-wise.

这篇关于PHP password_verify对数据库不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！