PHP password_verify() 在应该为真时返回假
PHP password_verify() returning false when it should be true
堆栈溢出。
我正在尝试为我的网站创建一个登录系统,使用 PHP 的 password_* 函数作为密码 hashing/verification,但是 password_verify() 总是 returns false 即使我输入了正确的密码。
基本流程是:
- signup.php 中的哈希密码(使用预设盐进行测试)
我知道这非常不安全(一旦它起作用我会加强它),但这是我的测试代码。
散列:(signup.php)
<?php
// include my custom MySQL function (it definitely works fine)
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL(); // custom function, returns mysqli object for my DB
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("UPDATE `users` SET `password` = ? WHERE `username` = ?");
$hashed = password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"));
echo "<pre>".$password." Hashed: <pre>".$hashed."</pre><br><br>";
$sql->bind_param('ss', $hashed, $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
} else {
echo "Successfully executed SQL";
}
else: ?>
<form method="GET" action="signup.php"><!--HORRENDOUSLY INSECURE-->
Username: <input type="text" name="username"><br>
New Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
正在验证:(login.php)
<?php
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL();
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("SELECT * FROM `users` WHERE `username` = ?");
$sql->bind_param('s', $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
}
$result = $sql->get_result();
$udata = array();
while ($data = $result->fetch_assoc()) {
var_dump($data);echo "<br><br>";
$udata[] = $data;
}
echo "<pre>";
var_dump($udata);
echo "</pre>";
echo "Password verify says <pre>";var_dump(password_verify($password, $udata['password']));
echo "</pre><br>PW: <pre>".$password."</pre> / Hash: <pre>".$udata[0]['password']."</pre><br>";
echo "Entered password:";var_dump($password);echo "<br>";
echo "Hash SHOULD be:";var_dump(password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"))); echo "<br>";
if(password_verify($password, $udata[0]['password'])):
echo "you are who you say you are";
else:
echo "wrong password, <a href='?'>try again</a>";
echo "Password algo info:";var_dump(password_get_info($udata[0]['password']));echo "<br>";
endif;
else: ?>
<form method="GET" action="login.php"><!--INSECURE, USE POST AFTER TESTING-->
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
哈希值肯定存储在数据库中,并且肯定可以正常检索,只是 password_verify() 没有。
非常感谢您的帮助。 :)
谢谢。
代码中发现的几个问题的列表:
使用 $_REQUEST_['password'] 而不是 $_REQUEST['password']。
使用$udata['password']代替$udata[0]['password'](仅与调试相关)。
根据评论,主要问题是(我认为)生成哈希时的第一项。
堆栈溢出。
我正在尝试为我的网站创建一个登录系统,使用 PHP 的 password_* 函数作为密码 hashing/verification,但是 password_verify() 总是 returns false 即使我输入了正确的密码。
基本流程是: - signup.php 中的哈希密码(使用预设盐进行测试)
我知道这非常不安全(一旦它起作用我会加强它),但这是我的测试代码。
散列:(signup.php)
<?php
// include my custom MySQL function (it definitely works fine)
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL(); // custom function, returns mysqli object for my DB
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("UPDATE `users` SET `password` = ? WHERE `username` = ?");
$hashed = password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"));
echo "<pre>".$password." Hashed: <pre>".$hashed."</pre><br><br>";
$sql->bind_param('ss', $hashed, $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
} else {
echo "Successfully executed SQL";
}
else: ?>
<form method="GET" action="signup.php"><!--HORRENDOUSLY INSECURE-->
Username: <input type="text" name="username"><br>
New Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
正在验证:(login.php)
<?php
if($_REQUEST['username'] && $_REQUEST['password']):
$db = connectMySQL();
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$username = $db->escape_string($_REQUEST['username']);
$password = $db->escape_string($_REQUEST['password']);
$sql = $db->prepare("SELECT * FROM `users` WHERE `username` = ?");
$sql->bind_param('s', $username);
if(!$sql->execute()){
die('There was an error running the query [' . $db->error . ']');
}
$result = $sql->get_result();
$udata = array();
while ($data = $result->fetch_assoc()) {
var_dump($data);echo "<br><br>";
$udata[] = $data;
}
echo "<pre>";
var_dump($udata);
echo "</pre>";
echo "Password verify says <pre>";var_dump(password_verify($password, $udata['password']));
echo "</pre><br>PW: <pre>".$password."</pre> / Hash: <pre>".$udata[0]['password']."</pre><br>";
echo "Entered password:";var_dump($password);echo "<br>";
echo "Hash SHOULD be:";var_dump(password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"))); echo "<br>";
if(password_verify($password, $udata[0]['password'])):
echo "you are who you say you are";
else:
echo "wrong password, <a href='?'>try again</a>";
echo "Password algo info:";var_dump(password_get_info($udata[0]['password']));echo "<br>";
endif;
else: ?>
<form method="GET" action="login.php"><!--INSECURE, USE POST AFTER TESTING-->
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit">
</form>
<?php endif; ?>
哈希值肯定存储在数据库中,并且肯定可以正常检索,只是 password_verify() 没有。
非常感谢您的帮助。 :)
谢谢。
代码中发现的几个问题的列表:
使用 $_REQUEST_['password'] 而不是 $_REQUEST['password']。
使用$udata['password']代替$udata[0]['password'](仅与调试相关)。
根据评论,主要问题是(我认为)生成哈希时的第一项。