密码在PHP登录系统永远不会奏效 [英] Password never works in PHP login system

问题描述

我想建立一个PHP会员区我的Web服务器，这哈希和盐渍的密码上。我注册了一个账号，并检查了数据库 - 如预期的那样创建用户 - 一切似乎罚款。现在的问题是，每当我试图登录它说的登录不正确（用户名或密码）。当然，这是在试验区正在做的，我注册的用户名和密码应该工作 - 但不

I am trying to set up a PHP members area on my web server, which has hashed and salted passwords. I registered an account and checked the database - the user is created as expected - everything seemed fine. The problem is whenever I try to log in it says the login is incorrect (username or password). Of course this is being done in a test area, and the user name and password I registered with should work - but doesn't.

auth.php：应认证用户，并创建一个会话，如果细节都有效
//登录永远不会奏效

auth.php: should authenticate the user and create a session if the details are valid //login never works

<?php
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if (strlen($username)<3 || strlen($password)<3) {
    header('Location: log_in.php5?error=1');
    die();
}

$username = mysql_real_escape_string($username);

function validateUser() {
    session_regenerate_id ();
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $username;
}

include "../db_login.php5";
mysql_select_db("DB_NAME", $con);

$query = "SELECT password, salt
        FROM users
        WHERE username = '" . $username . "';";

$result = mysql_query($query);

$userData = mysql_fetch_assoc($result);
$count = mysql_num_rows($userData);

if ($count < 1) {
    header('Location: log_in.php5?error=1');
    die();
}

$salt = "";
$hashed_pass = "";

for ($x=0; $x<1; $x++) {
  $salt = $userData['salt'];
  $hashed_pass = $userData['password'];
}

$hash = hash('sha256', $salt . hash('sha256', $password));

mysql_close($con);

if ($hash != $hashed_pass) {
    header('Location: log_in.php5?error=1');
    die();
} else {
    validateUser();
}

header('Location: members.php5');
?>

register.php：应采取用户名，哈希值与盐密码，所有3个存储DB //作品

register.php: should take the username, hash the password with a salt, store all 3 to DB //works

<?php
//retrieve our data from POST
$username = $_POST['username'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($pass1 != $pass2)
    header('Location: sign_up.php5');
if(strlen($username) > 30)
    header('Location: sign_up.php5');

$hash = hash('sha256', $pass1);

function createSalt(){
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}

$salt = createSalt();
$hash = hash('sha256', $salt . $hash);

include "../db_register.php5";
mysql_select_db("DB_NAME", $con);

//sanitize username
$username = mysql_real_escape_string($username);
$query = "INSERT INTO users (username, password, salt)
        VALUES ( '$username' , '$hash' , '$salt' );";
mysql_query($query);
mysql_close($con);

header('Location: log_in.php5');
?>

在的login.php 文件是一个简单的表格中的数据auth.php哪些职位;
在 sign_up.php 文件也是一个简单的表单的用户数据register.php哪些帖子。

The login.php file is a simple form which posts the data to auth.php; the sign_up.php file is also a simple form which posts the user data to register.php.

什么是错我的code，它不会让我登录？

编辑：

所以我已经将问题范围缩小下来，在$用户名变量，似乎从一开始就空白？

So I've narrowed the problem down so the $username variable which seems to be blank from the start?

输出：

Count: 
User: 
Query: SELECT * FROM `users` WHERE `username`='';

code输出：

code for output:

$query = "SELECT * 
FROM `users` 
WHERE `username`='".$username."';";

$result = mysql_query($query);

$userData = mysql_fetch_assoc($result);
$count = mysql_num_rows($userData);

if ($count < 1) {
    echo "Count: ".$count."<BR/>"
    . "User: " .$username ."<BR/>"
    . "Query: " .$query;
    //header('Location: log_in.php5?error=1,count='.$count.'user='.$username);
    //die();
}

$计数和$用户名未在任何地址和SQL查询打印

$count and $username are not printed in either Address nor the sql query

编辑2：

*Jared* eventually found the problems which were two in number:
1) $username = mysql_real_escape_string($username); <-- required a db connection $con in my case
2) $count = mysql_num_rows($userData); <-- required to pass the $result instead.

谢谢大家！

推荐答案

用什么这部分内容？

for ($x=0; $x<1; $x++) {
  $salt = $userData['salt'];
  $hashed_pass = $userData['password'];
}

做的的var_dump $用户数据。

修改

function validateUser($username) {
    session_regenerate_id ();
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $username;
}

和底部附近的：

if ($hash != $hashed_pass) {
    header('Location: log_in.php5?error=1');
    die();
} else {
    validateUser($username);
}

这篇关于密码在PHP登录系统永远不会奏效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！