-1
經過幾個小時搜索互聯網尋找答案無濟於事,我想我應該問這裏。我試圖在我的網站上密碼我的密碼。我驗證了哈希密碼是正確地從我的數據庫中取出的,並且我輸入的密碼是正確的。但是我的代碼仍然無法工作。我想要驗證的密碼是123,它的哈希值應該是$ 2Y $ 10 $ NebO.9vmHczwnpassword_verify不斷返回false
<?php
session_start();
include("connect.php");
$connection = mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
//$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
$sql_user_info="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result_user_info=mysql_query($sql_user_info);
$rows_user_info=mysql_fetch_array($result_user_info);
$hash=$rows_user_info['password'];
//echo $hash . " " . $myusername . " " . $mypassword;
if(password_verify($mypassword, $hash)){
$_SESSION["loggedin"] = true;
$_SESSION["username1"] = $myusername;
$id = "SELECT id FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$_SESSION["id"] = mysql_query($id);
mysql_close($connection);
header("location:login_success.php");
}
else {
if(isset($_SESSION['login']))
unset($_SESSION['login']);
mysql_close($connection);
header('location:http://akosh.space/loginfailed.php');
}
?>
什麼我錯在這裏做什麼?
'var_dump($ mypassword,$ hash)' –
你很容易受到[sql注入攻擊](http://bobby-tables.com)的影響,並且簡單地假設查詢成功。做了任何基本的調試,比如'var_dump($ rows_user_info)'來查看數據庫中出現了什麼,如果有的話? –
你如何哈希你的密碼?又是什麼樣的散列? '$ 2y $ 10 $ NebO.9vmHczwn' 2y通常意味着它是一個bcrypt哈希,但它不夠長。 – JimL