使用 Bcrypt 密码失败

Password failing using Bcrypt

到目前为止 bcrypt 一直没有问题。由于某种原因,以下密码无效。 UIO78349%^&(]\';= 这是我第一次遇到密码无法使用的情况,希望有人能给出解释。我在网上搜索并阅读了有关字符限制的信息,但这远低于该限制。不确定它是否有任何区别,但用户输入密码正在经历 mysqli_real_escape_string。

登录表单所在的第一批代码:

<?php
session_start();
?>

<html>
<body>
<form method="post" action="sidebar-signin-block.php">

        <table width="90%" border="0" align="center" bgcolor="white">


            <tr>
                <td bgcolor="ffffff" colspan="2" align="center"><h2>User Login</h2></td>
            </tr>

            <tr>
                <td align="right">Email:</td>
                <td><input type="text" name="email"></td>
            </tr>

            <tr>
                <td align="right">Password:</td>
                <td><input type="password" name="password"></td>
            </tr>

            <tr>
                <td colspan="2" align="center"><input type="submit" name="login" value="Login"></td>

            </tr>

            <tr>
                <td colspan="2" align="center"><h3 style="margin-top:7px;"><a href="nonadmin_user_forgot_password.php" target="_blank" title="Reset Your Lost Password">Forgot Password?</a></h3></td>
            </tr>


            <tr>
                <td bgcolor="#ffffff" colspan="2" align="center"><div style="padding-top:5px;"><span style="font-size:20px;">Don't have an account?<br /><a href="/includes/register-user.php" title="Register with us!" target="_self">Sign Up</a> is <em>quick</em> and <em>easy</em>!</span></div></td>

        </table>
    </form>

    <?php 

// Connecting to the database and making the Bcrypt functions available
include("admin/includes/connect.php");
include ("lib/password.php");

// Gathering and sanitizing user login input
if(isset($_POST['login'])){

    $email = trim(((isset($conn) && is_object($conn)) ? mysqli_real_escape_string($conn, $_POST['email']) :((trigger_error  ("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")));

        $pass = trim(((isset($conn) && is_object($conn)) ? mysqli_real_escape_string($conn, $_POST['password']) : ((trigger_error   ("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")));

         // Checking the database records for the user login input
        $hash_query = "select nonadmin_user_pass from nonadmin_user_login where email='$email'";{
                $run_query = mysqli_query($conn, $hash_query);}
                while ($row = mysqli_fetch_assoc($run_query)) {
                $fetch_pass = $row['nonadmin_user_pass'];
                    }
        // If the user email and password matches we start a session                               
        if ((password_verify($pass, $fetch_pass)) == 1){

              // Verifying user login success with splash page then sending user back to the home page
              $_SESSION['email']=$email;
              echo "<script>window.open('login-success.php','_self')</script>";}

    // When the user login fails an alert is given to inform them
    else {
    echo "<script>alert('Email or password is incorrect please try again')</script>";
    echo "<script>window.open('index.php','_self')</script>";}  
}
?>
</body>
</html>

这里是js.

<script>$(document).ready(function(){
$("#login").click(function(){
var email = $("#email").val();
var password = $("#password").val();
// Checking for blank fields.
if( email =='' || password ==''){
$('input[type="text"],input[type="password"]');
$('input[type="text"],input[type="password"]');
alert("Please fill all fields.");
}else {
$.post("log-me-in.php",{ email1: email, password1:password},
function(data) {
if(data=='Invalid Email.......') {
$('input[type="text"]');
$('input[type="password"]');
alert(data);
}else if(data=='Email or Password is wrong please try again.'){
$('input[type="text"],input[type="password"]');
alert(data);
} else if(data=='Successfully Logged in.'){
window.location.reload();
$("form")[0].reset();
$('input[type="text"],input[type="password"]');
alert(data);
} else{
alert(data);
}
});
}
});
});</script>

这是正在调用的 php:

<?php 
session_start();
// Connecting to the database and making the Bcrypt functions available
include("admin/includes/connect.php");
include ("lib/password.php");

$email=$_POST['email1']; // Fetching Values from URL.
$password= ($_POST['password1']); 
// check if e-mail address syntax is valid or not
//$email = filter_var($email, FILTER_SANITIZE_EMAIL); // sanitizing email(Remove unexpected symbol like <,>,?,#,!, etc.)
//if (!filter_var($email, FILTER_VALIDATE_EMAIL)){
//echo "Invalid Email.......";
//}else{
// Matching user input email and password with stored email and password in database.
$result = mysqli_query($conn, "SELECT * FROM nonadmin_user_login WHERE email='$email'");
$data = mysqli_fetch_array($result);
$bcrypt_pass = $data['nonadmin_user_pass'];
$email_match = $data['email'];

if (password_verify ($password, $bcrypt_pass) == 1 AND $email == $email_match) {

$_SESSION['email']=$email;
echo "Successfully Logged in.";
}

else{
echo "Email or Password is wrong please try again";
}

//}
?>

Here is the user registration code where the password initially gets entered before mail verification:

    <html>
    <head>
    <title>Register at Recycling Kansas City</title>

    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" type="text/css" href="/styles/register-user.css" media="all">

    <!-- ie compatibility -->
    <!--[if IE]>
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <![endif]-->

    <!--[if lt IE 9]>
    <script src="Site/javascript/bootstrap/html5shiv.js"></script>
    <![endif]-->

    <meta content="recycling kansas city, recycling centers, recycling locations" name="keywords">
    <meta content="Recycling Kansas City is an efficient resource to help you quickly find a recycle center that is nearby. Use our map to find locations and accepted items." name="description">
         </head>



    <h1 class="center">Why register at Recycling Kansas City?</h1>

    <p>By registering here you will gain access to additional features. Once registered you can create your own custom profile, submit and comment on blog articles, advertise your products or services and have the choice to opt in for email announcements.</p>

    <p>All of your information will be securely stored in our database and you can delete your account at any time. Also, rest assured that we will never share any of your submitted details with anyone ever.</p>

    <form method="post" action="register-user.php">

            <table width="520" border="10" align="center" bgcolor="white">


                <tr>
                    <td bgcolor="ffffff" colspan="2" align="center"><h1>Registration</h1></td>
                </tr>

                <tr>
                    <td align="right">Email</td>
                    <td><input type="text" name="email" size="53"></td>
                </tr>

                <tr>
                    <td align="right">Password:</td>
                    <td><input type="password" name="pwd" size="53"></td>
                </tr>
                <tr>
                    <td align="right">User Name:</td>
                    <td><input type="text" name="name" size="53"></td>
                </tr>

                <tr>
                    <td colspan="2" align="center"><input type="submit" name="register" value="Register"></td>
                </tr>

            </table>
        </form>
    </html>



    <?php

    include ("../admin/includes/connect.php");
    include ("../lib/password.php");

    $con = new mysqli("localhost", "$username", "$password", "$database");

    /* check connection */
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    if(isset($_POST['register'])){

    $email = trim(mysql_escape_string($_POST['email']));

    $nonadmin_user_pass = trim(mysql_escape_string($_POST['pwd']));

    $password = password_hash($nonadmin_user_pass, PASSWORD_BCRYPT);

    $nonadmin_user_name = trim(mysql_escape_string($_POST['name']));

    $query_verify_email = "SELECT * FROM nonadmin_user_login WHERE email ='$email' and verified = 1";

    $verified_email = mysqli_query($con,$query_verify_email);

    if (!$verified_email) {

    echo ' System Error';
    }

    if (mysqli_num_rows($verified_email) == 0) {

    // Generate a unique code:

    $hash = md5(uniqid(rand(), true));

    $query_create_user = "INSERT INTO `nonadmin_user_login` (`email`, `nonadmin_user_pass`, `nonadmin_user_name`,  `hash`) VALUES ('$email', '$password', '$nonadmin_user_name', '$hash')";

    $created_user = mysqli_query($con,$query_create_user);

    if (!$created_user) {

    echo 'Query Failed ';
    }

    if (mysqli_affected_rows($con) == 1) { //If the Insert Query was successfull.

    $subject = 'Activate Your Email';

    $headers = "From: admin@recyclingkansascity.com \r\n";

    $headers .= "MIME-Version: 1.0\r\n";

    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

    $url= 'http://recyclingkansascity.com/includes/register-verify.php?email=' . urlencode($email) . "&key=$hash";

    $message ='<p>To activate your account please click on Activate buttton</p>';

    $message.='<table cellspacing="0" cellpadding="0"> <tr>';

    $message .= '<td align="center" width="300" height="40" bgcolor="#000091" style="-webkit-border-radius: 5px; -moz-border-radius: 5px; border-radius: 5px;

    color: #ffffff; display: block;">';

    $message .= '<a href="'.$url.'" style="color: #ffffff; font-size:16px; font-weight: bold; font-family: Helvetica, Arial, sans-serif; text-decoration: none;

    line-height:40px; width:100%; display:inline-block">Click to Activate</a>';

    $message .= '</td> </tr> </table>';

    mail($email, $subject, $message, $headers);

    echo '<p class="center">A confirmation email

    has been sent to <b>'. $email.' </b></p><p class="center">Please <strong>click</strong> on the <strong><em>Activate</em> Button</strong> to Activate your account.</p> ';

    } else { // If it did not run OK.

    echo '<div>You could not be registered due to a system

    error. We apologize for any

    inconvenience.</div>';

    }

    }

    else{

    echo '<div>Email already registered</div>';}

    }
    ?>

到目前为止,在 post 顶部的密码之前,从未对任何密码打嗝?如果你问我很奇怪。

删除所有对 mysqli_real_escape_string() 的密码输入调用,函数 password_hash() and password_verify() 甚至接受二进制输入并且不易 SQL-injection。我认为这已经解决了您的问题。转义应该尽可能晚地进行,并且只针对给定的目标系统,所以函数 mysqli_real_escape_string() 应该只被调用来构建一个 SQL 查询。

那么函数 password_verify() 已经 returns 一个布尔值,不需要与 == 1 进行比较。

if (password_verify($pass, $fetch_pass))
{
  ...
}

如果这不能解决您的问题,我会确保每个页面都使用 UTF-8 作为文件格式并在 header.

中定义它