password_verify不返回true/false [英] password_verify not returning true/false

问题描述

我尝试使用数据库中保存的哈希值登录时遇到问题，我通过以下方式保存了密码，效果很好:

I have a problem with trying to login using the saved hash from my database, I save my password the following way, which works fine:

adduser($conn, '3', $username, $password);

这将调用以下函数:

  function adduser ($conn, $level, $username, $password)
  {
  $password = mysqli_real_escape_string($conn, $password);
  $password = mysqli_real_escape_string($conn, $username);
  $password = password_hash($password, PASSWORD_BCRYPT);
  $user = "INSERT INTO users (level, username, password)
  VALUES ('$level', '$username', '$password')";
  mysqli_query($conn, $user) or die (mysqli_error($conn));
  }

我的密码字段为CHAR(60)，因此存储的密码哈希应为正确的大小.

My password field is a CHAR(60) so the stored password hash should be the right size.

当我尝试登录时，我会调用此函数:

When I try to login I call this function:

if (login($conn, $username, $password) === true){

}

在这里存在

  function login ($conn, $username, $password)
  {
$password = mysqli_real_escape_string($conn, $password);
$username = mysqli_real_escape_string($conn, $username);
$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$hash = $row["password"];
$verify = password_verify($password, $hash);
if ($verify)
  {
    return true;
  }
  else
  {
    return false;
  }
  }

我的问题是，它永远不会返回true或false，这使我无法登录...

My issue is that it never returns true or false, which makes it impossible for me to login...

额外: 成功发布到数据库

Extra: It succesfully post to database

我也尝试运行此程序，它成功地将数据库中的数据发布了

I also tried running this, which succesfully posted the data from my database

$query = "SELECT password FROM `users` WHERE username='$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
echo $row["password"]; 

更新

这样做:

echo '<br/>';
echo $hash;
echo '<br/>';
echo $password;

给我以下输出:

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou
hej

与我数据库中的密码匹配

Which matches the password in my database

$2y$10$OfJhVve4GMZRfjfelb8sNOJ7EN5NAAGOmsN6OS/SC7PZGU5mDNOou

推荐答案

在测试完整个代码之后，我得出以下结论.

After testing your entire code, I have come to the following conclusion.

这里的问题是您在将密码插入数据库时​​转义了密码，这是我从一开始就在评论中提到的.

The problem here is that you are escaping the password while inserting it into your database, which is something I did raise in comments from the beginning.

旁注:您不应转义密码/哈希函数，例如123'\abc<的密码是完全有效的，并且将在插入时被修改."

"side note: you shouldn't escape a password/hash function, passwords such as 123'\abc< are perfectly valid and will be modified on insertion."

$password = mysqli_real_escape_string($conn, $username);

关于^的注释-请在下面的但是..." 附近咨询编辑#2:

Side note for ^ - Consult Edit #2 below, near "However...":

根本不使用它，只需保持/正常使用作业即可.

Simply don't use it, just keep/use the assignment normally.

password_hash()和password_verify()都可以完成工作，因此无需转义密码.

Both password_hash() and password_verify() do their job, so there's no need to escape passwords.

您将需要将其从用来将其插入数据库的代码中删除，然后使用一组新的哈希值重新开始.

You will need to remove it from the code that you used to insert it into the database with, and start over again with a new set of hashes.

转义功能最有可能在插入过程中添加一个字符.

That escaping function is most likely adding a character during insertion.

旁注:仅作记录，我的密码列为VARCHAR，但这与您的CHAR没什么区别(请参阅脚注).如果是，则将您的列更改为VARCHAR.

Side note: Just for the record, my password column is VARCHAR, yet that shoulnd't be a difference from your CHAR ( consult footnote). If it is then ALTER your column to be VARCHAR.

但是password_hash()的手册建议使用255作为长度，这是一个不错的选择.

The manual on password_hash() though, suggests using 255 for a length, being a good bet.

• http://php.net/manual/en/function.password -hash.php

编辑脚注:

根据我在答案下方发布的评论.

As per a comment I posted beneath my answer.

似乎有所不同.根据接受的答案

It looks to have a difference. This Q&A What's the difference between VARCHAR and CHAR? shows it, as per the accepted answer

VARCHAR是可变长度的.

VARCHAR is variable-length.

CHAR是固定长度.

CHAR is fixed length.

• https://stackoverflow.com/a/1885635/1415724

编辑#2:

经过进一步测试以查看是否有所不同，方法是将密码列从VARCHAR(255)更改为CHAR(60)进行更改；没有.

After further testing to see if it made a difference by ALTER'ing the password column from VARCHAR(255) to CHAR(60) made a difference; it did not.

执行的测试:

• 插入了没有转义功能并验证以下内容的新哈希:TRUE.
• 使用转义功能插入新哈希并验证:FALSE.

• Inserted a new hash without the escaping function and verifying: TRUE.
• Inserted a new hash with the escaping function and verifying: FALSE.

因此，正如我最初所说的那样；错误在于使用mysqli_real_escape_string().

Therefore and as I stated originally; the fault lies with the use of mysqli_real_escape_string().

但是，再次检查您的代码，此行:

However and going over your code again, this line:

$password = mysqli_real_escape_string($conn, $username);

您在此处使用了$username变量，该变量也说明了在数据库中插入了错误的值.所有这些都是一开始就存在的问题.

You were using the $username variable here which also accounts for the wrong value being inserted in the database. All of these put together were the problems from the get go.

这篇关于password_verify不返回true/false的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！