1. 首頁
  2. 問答
  3. MySql Password_verify()不起作用?

MySql Password_verify()不起作用?

2015-07-11 61 views
1

在註冊期間,用戶的密碼作爲加密的BCRYPT密碼保存在數據庫中。MySql Password_verify()不起作用?

我的問題是:爲什麼我不能用輸入的密碼驗證加密的數據庫密碼?

CODE:

<?php      //POST VARIABLES 
        $submit = $_POST['login_submit']; 
        $username = $_POST['login_username']; 
        $password = $_POST['login_password']; 
        $email = $_POST['login_email']; 

require 'password_config.php'; 
if(isset($submit)){ 
require 'db/connect.php'; 
//PASSWORD VERIFYING 
$pass_query = "SELECT password FROM users WHERE email='$email'"; 
$queried = mysql_query($pass_query); 
while($row = mysql_fetch_array($queried)){ 
$user_pass = $row['password']; 
$veri_password = password_verify($password, $user_pass); 
} 

//CHECKING NUM ROWS 
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'"; 
$entered_user = mysql_query($sql); 
$num_rows = mysql_num_rows($entered_user); 


//ERRS ARRAY DECLARED 
$errors = array(); 

//FURTHER VERIFYING 
if($num_rows != 1) 
{ 
$errors[] = '-Account does not exist '; 
} 
elseif($num_rows == 1) 
{ 
session_start(); 
while($row = mysql_fetch_array($entered_user)){ 
$_SESSION['key'] === true; 
$_SESSION['id'] = $row['id']; 
$_SESSION['email'] = $email; 
$_SESSION['user'] = $row['username']; 
$_SESSION['pass'] = $password; 
header('Location: profile.php'); 
exit(); 
} 
} 
} 
?>

我收到一個錯誤,指出「賬號不存在」甚至當我輸入有效的信息。

感謝, -Eugene

編輯更改爲此:

 <?php      //POST VARIABLES 
          $submit = $_POST['login_submit']; 
          $username = $_POST['login_username']; 
          $password = $_POST['login_password']; 
          $email = $_POST['login_email']; 

    require 'password_config.php'; 
    if(isset($submit)){ 
    require 'db/connect.php'; 
    //PASSWORD VERIFYING 
    $pass_query = "SELECT password FROM users WHERE email='$email'"; 
    $queried = mysql_query($pass_query); 
    while($row = mysql_fetch_array($queried)){ 
    $user_pass = $row['password']; 
    $veri_password = password_verify($password, $user_pass); 
    } 
    if($veri_password === true){ 
    //CHECKING NUM ROWS 
     $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'"; 
     $entered_user = mysql_query($sql); 
     $num_rows = mysql_num_rows($entered_user); 


    //ERRS ARRAY ESTABLISHED 
     $errors = array(); 

    //FURTHER VERIFYING 
     if($num_rows != 1) 
     { 
     $errors[] = '-Account does not exist '; 
     } 
     elseif($num_rows == 1) 
     { 
     session_start(); 
     while($row = mysql_fetch_array($entered_user)){ 
     $_SESSION['key'] === true; 
     $_SESSION['id'] = $row['id']; 
     $_SESSION['email'] = $email; 
     $_SESSION['user'] = $row['username']; 
     $_SESSION['pass'] = $password; 
     header('Location: profile.php'); 
     exit(); 
     } 
     } 
     } 
    } 
    ?>

來源

2015-07-11 Eugene Stamp

+0

您的代碼很容易受到SQL注入 – Ormoz

+1

你爲什麼做用'$ veri_password = password_verify($密碼,$ user_pass)結果第二選擇;' ....''password_verify()'返回一個布爾值,告訴你密碼是否有效.....它不會返回一個字符串值用於後續查詢中使用的密碼 –

+0

愚蠢的問題傢伙,我意識到我的錯誤,不需要進一步的答案 –

回答

2

變化:

$sql = "SELECT id, username FROM users WHERE email='$email'";

而且改變:

$veri_password = password_verify($password, $user_pass); 


if(!password_verify($password, $user_pass)){ 
    echo 'invalid password'; 
    exit; 
}

無論如何,你的代碼很容易被sql注入。請考慮在您的查詢中使用準備好的語句或使用mysql_real_escape_string轉義輸入字符串。 。並且還建議使用mysqlipdo,而不是程序方法

來源

2015-07-11 13:00:52 Ormoz

相關問題

 相關問題