使用password_verify时，任何密码都可以，为什么？

Question

已经阅读了所有我能找到的与此相关的问题，但仍然找不到有用的答案（对我有帮助）。

我的问题是在使用password_verify时可以使用任何密码登录。

login_process.php

include_once("db.php"); 

if(!empty($_POST['login'])) { 
        // Escape variables
        $input_username = mysqli_real_escape_string($connectdb, $_POST['username']);
        $input_password = mysqli_real_escape_string($connectdb, $_POST['password']);

//Query to find username
            $query = "SELECT id, username, password, email FROM usersdt091g WHERE username = '$input_username'";
            $query2 = "SELECT password FROM usersdt091g WHERE username = '$input_username'";
            $res = mysqli_query($connectdb, $query2);
            $dbpass = mysqli_fetch_assoc($res);
            $hash = $dbpass[0]['password'];
            $result = mysqli_query($connectdb, $query);
            $row = mysqli_fetch_assoc($result);

        // Login ok = false, then render it true if conditions met
        $login_ok = false; 

        if(password_verify($input_password, $hash)) 
        { 
                // If they do, then we flip this to true 
                $login_ok = true; 
        } 

        // If login ok
        if($login_ok = true) 
        {
            // Session variables
            $_SESSION['user'] = $row;

            // Redirect user to secret page. 
            header('Location: blahalblal'); 
            exit; 
        } else {
            // Tell the user they failed
            $errors[] = "<p>Login Failed MISERABLY!</p>"; 
        }
    }
?>

Image of Database table

我的注册过程是这样的。 signup.php

<?php 
   include_once("db.php"); 

    if(isset($_POST['signup']))
{
 $username = mysqli_real_escape_string($connectdb, $_POST['username']);
 $email = mysqli_real_escape_string($connectdb, $_POST['email']);
 $password = mysqli_real_escape_string($connectdb, $_POST['password']);
 $hash = password_hash($password, PASSWORD_DEFAULT);

 if(mysqli_query($connectdb, "INSERT INTO usersdt091g (username, email, password) VALUES ('$username','$email','$hash')"))
 { 
     $successs[] = "<p>Great Success, please login!</p>";
 }
}
?>

我可以使用所有的帮助，

埃里克

Answer 1

这将总是为真：

if($login_ok = true)

因为给布尔值赋值的结果就是布尔值本身。您可能打算 compare 值而不是 assign it:

if($login_ok == true)

Answer 2

这就是我发现的有效方法，多亏了 David 我将整个比较运算符排除在外。我还删除了不必要的查询。为了从数据库中获取用户名和用户密码以匹配输入，我必须确保它们匹配。有时会盯着自己看，但是是的，在 $login_ok == true 之前匹配用户名和用户密码。

<?php 
   include_once("db.php"); 

if(!empty($_POST['login'])) { 
        // Escape variables
        $input_username = mysqli_real_escape_string($connectdb, $_POST['username']);
        $input_password = mysqli_real_escape_string($connectdb, $_POST['password']);
        //Query to find username
        $query = "SELECT id, username, password, email FROM users WHERE username = '$input_username'";
        $result = mysqli_query($connectdb, $query);
        $row = mysqli_fetch_assoc($result);
        $userid = $row['username'];
        $hash = $row['password'];
        //var_dump($dbpassword[0]);
        // Login ok = false, then render it true if conditions met
        $login_ok = false; 

        if(password_verify($input_password, $hash) && $userid === $input_username) 
        { 
                // If they do, then we flip this to true 
                $login_ok = true; 
        } 

        // If login ok
        if($login_ok == true) 
        {
            // Session variables
            $_SESSION['user'] = $row;

            // Redirect user to secret page. 
            header('Location: portfolio_admin.php'); 
            exit; 
        } else {
            // Tell the user they failed
            $errors[] = "<p>Login Failed MISERABLY!</p>"; 
        }
    }
?>

使用password_verify时，任何密码都可以，为什么？

When using password_verify, any password suffices, why?

php

passwords

verify