Codeigniter登录验证不正确的用户名&密码 [英] Codeigniter Login Validating Incorrect Username & Password

问题描述

我使用的是php password_hash http://php.net/manual/en /function.password-hash.php 创建我的密码。并访问password_verify http://php.net/manual/en/function.password- verify.php 检查密码。

I am using php password_hash http://php.net/manual/en/function.password-hash.php to create my passwords. And to password_verify http://php.net/manual/en/function.password-verify.php to check passwords.

问题当我尝试验证我的密码时，它允许不存在的用户名和密码以阻止正确的用户名和密码？

Problem When I try to verify my password it allows username and password that do not exist to login, but blocks username and passwords that are correct?

由于某种原因，它是回到前面吗？不确定为什么？

For some reason it is back to front? Not sure why?

问题如何确保它无法使用php password_verfiy验证不正确的用户名和密码

Question How can I make sure it is not validating incorrect username and password using php password_verfiy

模型函数

public function login($username, $password) {
    $this->db->where('username', $username);
    $this->db->where('password', $this->validate_password($password));
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        return true;
    } else {
        return false;
    }
}

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return true;
    } else {
        return false;
    }
}

public function stored_hash() {
    $this->db->where('username', $this->input->post('username')); 
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        $row = $query->row();
        return $row->password;
    } else {
        return false;
    }
}

控制器登录 p>

Controller Login

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

class Login extends CI_Controller {

public function __construct() {
    parent::__construct();
    $this->lang->load('common/login', 'english');
    $this->load->model('common/model_login');
    $this->load->library('form_validation');
}

public function index() {
    $data['title'] = $this->lang->line('heading_title');

    $this->form_validation->set_rules('username', 'Username', 'trim|required');
    $this->form_validation->set_rules('password', 'Password', 'required|callback_validate_user');

    if ($this->form_validation->run() == FALSE) {

        $data['template'] = 'common/login_view';
        $this->load->view('common/template_view', $data);

    } else {

        redirect('common/dashboard');
    }
}

public function validate_user() {
    $username = $this->input->post('username');
    $password = $this->input->post('password');

    $result = $this->model_login->login($username, $password);

    if ($result) {

        $data = array(
            'is_logged' => true,
            'username' => $this->input->post('username')
        );  

        $this->session->set_userdata($data);

    } else {

        $this->form_validation->set_message('validate_user', $this->lang->line('error_login'));
        return false;
    }
}

}

推荐答案

问题在于您的 validate_password 函数，因为此函数返回 TRUE 或 FALSE 。如果您的密码匹配

Problem is with your validate_password function because this function return either TRUE or FALSE. You need to return $password if your password match

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return $password;// return password here
    } else {
        return false;
    }
}

更改登录函数因为您已经在validate_password（）函数中匹配了您的密码

Change your login function because you already match your password in validate_password() function

function login($username, $password) {

    if ($this->validate_password($password)) {
        $this->db->where('username', $username);
        $query = $this->db->get($this->db->dbprefix . 'user');

        if ($query->num_rows() > 0) {
            return true;
        } else {
            return false;
        }
    } else {
        return FALSE;
    }
}

这篇关于Codeigniter登录验证不正确的用户名&密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！