PHP password_verify（）不能使用数据库 [英] PHP password_verify() not working with database

问题描述

我正在建立登录和注册系统。系统工作，所以现在我必须添加安全的哈希密码数据库存储。但是，当我从数据库中检索哈希密码并将其与用户输入的密码进行比较时，它将不起作用。

I'm in the process of making a login and registration system. The system works so now I have to add in security for hashing password for database storage. However, when I retrieve the hashed password from the database and comparing it to the one the user entered as the password input it doesn't work.

    <?php
session_start(); //start the session for user profile page

define('DB_HOST','localhost'); 
define('DB_NAME','test'); //name of database
define('DB_USER','root'); //mysql user
define('DB_PASSWORD',''); //mysql password

$con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());

$db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 

/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn(mysqli $con){
    $user = mysqli_real_escape_string($con,$_POST['user']); //user input field from html
    $pass = mysqli_real_escape_string($con,$_POST['pass']); //pass input field from html
    //$user = $_POST['user'];
    //$pass = $_POST['pass'];
    if(isset($_POST['user'])){ //checking the 'user' name which is from Sign-in.html, is it empty or have some text
        $query = mysqli_query($con,"SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysqli_connect_error());
        $row = mysqli_fetch_array($query); //or die(mysqli_error($con));
        $username = $row['userName'];
        $pw = $row['pass'];//hashed password in database
        //check username and password hash
        echo $pw; //THIS PRINTS OUT NOTHING!!!
        if($user==$username && password_verify($pass, $pw)) {
            // $user and $pass are from POST
            // $username and $pw are from the rows

            //$_SESSION['userName'] = $row['pass'];
            echo "Successfully logged in.";
        }

        else { 
            echo "Invalid."; 
        }
    }
    else{
        echo "INVALID LOGIN";
    }
}

if(isset($_POST['submit'])){
    SignIn($con);
}
?>

因此，当我尝试比较输入的文本密码和哈希值时，上述代码将回显Invalid一个在数据库中。

So the above code will echo "Invalid" when I attempt to compare the text password entered and the hashed one in the database. The echo $pw prints out nothing for some unknown reason.

这是注册php脚本：

<?php
        //Connection Config
        define('DB_HOST','localhost'); 
        define('DB_NAME','test'); //name of database
        define('DB_USER','root'); //mysql user
        define('DB_PASSWORD',''); //mysql password
        $con = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die(mysqli_connect_error());
        $db = mysqli_select_db($con,DB_NAME) or die(mysqli_connect_error()); 
        //Registration
        function Register($con){
            if(isset($_POST['user']) && isset($_POST['pass'])){
                $username = $_POST['user'];
                $email = $_POST['email'];
                $password = $_POST['pass'];

                //Hashing of password
                $hpassword = password_hash($password, PASSWORD_DEFAULT);
                $query = mysqli_query($con,"INSERT INTO UserName (UserNameID,userName, pass, email) VALUES ('2','$username','$hpassword','$email') ") or die(mysqli_connect_error());

                if($query){
                    //Query successful
                    echo "User has been created successfully";
                }else{
                    echo "Error1";
                }
            }else{
                echo "Error2";
            }
        }

        if(isset($_POST['submit'])){
            Register($con);
        }
    ?>

我确保列是varchar（255）
有人知道为什么验证失败？谢谢！

I've made sure the column is varchar(255) and long enough. Does anyone know why the verification fails? Thanks!

注意：密码哈希后，我计划添加SQL注入防护。

Note: After password hashing I'm planning to add SQL injection defenses.

推荐答案

您正在插入一个哈希密码，这很好。
但是在登录时，你将POST字符串上的一个与数据库中的散列版本进行比较。逻辑上，他们将不一样。
您应该更改：

You're inserting a hashed password, that's good. But then on login you're comparing the one on the POST string with the hashed version in the database. Logically, they will not be the same. You should change :

SELECT * FROM UserName where userName = '$_POST[user]' AND pass = '$_POST[pass]'"

into

SELECT * FROM UserName where userName = '$_POST[user]'

$ b b

确实，你应该添加保护以防止SQL注入无处不在。最好使用预备语句，在每个select，插入，更新，删除等，以及你在这些语句中使用的每一个值。

And indeed you should add protection against SQL injection everywhere. Preferably use prepared statements, on every select, insert, update, delete, etc. and on every single value you're using in those statements.

这篇关于PHP password_verify（）不能使用数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！