password_verify 始终 Returns 错误,即使使用了适当的变量
password_verify Always Returns False, even with proper variables used
我的网页以登录页面开头,与许多网页一样,如果用户没有帐户,他们可以注册。我的注册成功了,他们输入的用户密码成功地用 password_hash 散列并发送到数据库。但是,当尝试登录时,password_verify 总是 returns false。我认为我最初制作散列密码时犯了一个愚蠢的错误,所以我回应了我在 password_verify 中用作第二个参数的变量。但是,它与数据库中的哈希完全匹配。可能是什么问题??下面提供了缩短的代码,用于在注册期间创建密码和在登录时检查密码。
创建哈希密码
<?php
session_start();
require('db_credentials.php');
$inputUsername = $_POST['createUsername'] ? $_POST['createUsername'] : null;
$inputPassword = $_POST['createPassword'] ? $_POST['createPassword'] : null;
$vPassword = $_POST['verifyPassword'] ? $_POST['verifyPassword'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$vPassword = $mysqli->real_escape_string($vPassword);
//create connection
$mysqli = new mysqli($servername, $username, $password, $dbname);
$protectedPassword = password_hash($inputPassword, PASSWORD_DEFAULT);
//Check if the passwords match
if($inputPassword != $vPassword){
echo '<p style = "text-align: center;">Oops!The passwords you input did not match. Please try again.</p>';
session_write_close();
exit;
}
//Check for duplicate username
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = mysqli_query($mysqli, $query);
if(mysqli_num_rows($result) == 1) {
echo '<p style = "text-align: center;">Oops! That Username is already taken. <br>Please try a different one.</p>';
session_write_close();
exit;
}
//Username is not takin and the passwords match
else {
$sql = "INSERT INTO user_info (username, password) VALUES (' ".$inputUsername." ', ' ".$protectedPassword." ')";
echo '<p style = "text-align: center;">Success! You Have Made an Account!</p>';
if($mysqli->query($sql) === TRUE) {
session_write_close();
exit;
}
else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
?>
正在登录
<?php
require('db_credentials.php');
$inputUsername = $_POST['username'] ? $_POST['username'] : null;
$inputPassword = $_POST['password'] ? $_POST['password'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$mysqli = new mysqli($servername, $username, $password, $dbname);
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = $mysqli->query($query);
//check if username is in database. If it is, do the passwords match?
if($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
echo $row['password'] . "<br>"; //matches hash in database exactly
echo $inputPassword; //matches the password I type in. Which is same I used to sign up.
if(password_verify($inputPassword, $row['password'])){
header("Location: puzzlerMember.php"); //this never happens
exit;
}
}
echo '<p style = "text-align: center;">Oops! Your Username/Password is incorrect. Sign up if you do not have an account.</p>'; //this always happens
exit;
?>
注意:在数据库中,我将密码列设置为 VARCHAR(255)。
我看过很多类似的问题,但他们似乎都错误地认为数据库中的密码长度太短。如果他们没有,我尝试了解决方案的最佳答案。我完全不知道出了什么问题。
如果你能帮忙,我先谢谢你了。
您正在转义您的密码,因此这会更改原来的密码。不要依赖转义作为安全措施(这本身就是一种误解),而是使用准备好的语句。
根据下面的评论,似乎需要澄清:您正在转义密码然后对其进行哈希处理,因此存储在数据库中的不是用户传递的内容,因此它永远找不到用户输入的内容通过,因此总是返回 false。
相关: Should I mysql_real_escape_string the password entered in the registration form?
更新 #1
正如@mario 所发现的,当您将值传递给它时,您的查询中似乎有空格,它正在搜索您的 table 以查找不正确的值。
阅读Material
我的网页以登录页面开头,与许多网页一样,如果用户没有帐户,他们可以注册。我的注册成功了,他们输入的用户密码成功地用 password_hash 散列并发送到数据库。但是,当尝试登录时,password_verify 总是 returns false。我认为我最初制作散列密码时犯了一个愚蠢的错误,所以我回应了我在 password_verify 中用作第二个参数的变量。但是,它与数据库中的哈希完全匹配。可能是什么问题??下面提供了缩短的代码,用于在注册期间创建密码和在登录时检查密码。
创建哈希密码
<?php
session_start();
require('db_credentials.php');
$inputUsername = $_POST['createUsername'] ? $_POST['createUsername'] : null;
$inputPassword = $_POST['createPassword'] ? $_POST['createPassword'] : null;
$vPassword = $_POST['verifyPassword'] ? $_POST['verifyPassword'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$vPassword = $mysqli->real_escape_string($vPassword);
//create connection
$mysqli = new mysqli($servername, $username, $password, $dbname);
$protectedPassword = password_hash($inputPassword, PASSWORD_DEFAULT);
//Check if the passwords match
if($inputPassword != $vPassword){
echo '<p style = "text-align: center;">Oops!The passwords you input did not match. Please try again.</p>';
session_write_close();
exit;
}
//Check for duplicate username
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = mysqli_query($mysqli, $query);
if(mysqli_num_rows($result) == 1) {
echo '<p style = "text-align: center;">Oops! That Username is already taken. <br>Please try a different one.</p>';
session_write_close();
exit;
}
//Username is not takin and the passwords match
else {
$sql = "INSERT INTO user_info (username, password) VALUES (' ".$inputUsername." ', ' ".$protectedPassword." ')";
echo '<p style = "text-align: center;">Success! You Have Made an Account!</p>';
if($mysqli->query($sql) === TRUE) {
session_write_close();
exit;
}
else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
?>
正在登录
<?php
require('db_credentials.php');
$inputUsername = $_POST['username'] ? $_POST['username'] : null;
$inputPassword = $_POST['password'] ? $_POST['password'] : null;
//protect database from corrupt user input
$inputUsername = $mysqli->real_escape_string($inputUsername);
$inputPassword = $mysqli->real_escape_string($inputPassword);
$mysqli = new mysqli($servername, $username, $password, $dbname);
$query = "SELECT * FROM user_info WHERE username = ' ".$inputUsername." ' ";
$result = $mysqli->query($query);
//check if username is in database. If it is, do the passwords match?
if($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
echo $row['password'] . "<br>"; //matches hash in database exactly
echo $inputPassword; //matches the password I type in. Which is same I used to sign up.
if(password_verify($inputPassword, $row['password'])){
header("Location: puzzlerMember.php"); //this never happens
exit;
}
}
echo '<p style = "text-align: center;">Oops! Your Username/Password is incorrect. Sign up if you do not have an account.</p>'; //this always happens
exit;
?>
注意:在数据库中,我将密码列设置为 VARCHAR(255)。 我看过很多类似的问题,但他们似乎都错误地认为数据库中的密码长度太短。如果他们没有,我尝试了解决方案的最佳答案。我完全不知道出了什么问题。 如果你能帮忙,我先谢谢你了。
您正在转义您的密码,因此这会更改原来的密码。不要依赖转义作为安全措施(这本身就是一种误解),而是使用准备好的语句。
根据下面的评论,似乎需要澄清:您正在转义密码然后对其进行哈希处理,因此存储在数据库中的不是用户传递的内容,因此它永远找不到用户输入的内容通过,因此总是返回 false。
相关: Should I mysql_real_escape_string the password entered in the registration form?
更新 #1
正如@mario 所发现的,当您将值传递给它时,您的查询中似乎有空格,它正在搜索您的 table 以查找不正确的值。
阅读Material