登录用户帐户时 bcrpyt hasher 出现问题
Problem with bcrpyt hasher when logging in to user account
我创建了一个注册和登录系统!
注册没有问题。
我输入所需的用户名、所需的电子邮件、所需的密码并按回车键,按回车键后,我来到主页。
问题是当我按下注销按钮时,当离开按钮将我带到登录页面时,当我重新输入用户名和密码时,我收到 "incorrect username or password" 错误。
if (isset($_POST['register'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$repeatpassword = mysqli_real_escape_string($db, $_POST['repeatpassword']);
$username_checker = "SELECT * FROM users WHERE username='$username'";
$email_checker = "SELECT * FROM users WHERE email='$email'";
$name_checker = mysqli_query($db,$username_checker) or die(mysqli_error($db));
$mail_checker = mysqli_query($db,$email_checker) or die(mysqli_error($db));
if(empty($username)){
array_push($errors,"Username is required");
return;
}
if(empty($email)){
array_push($errors,"Email is required");
return;
}
if(empty($password)){
array_push($errors,"Password is required");
return;
}
if(mysqli_num_rows($name_checker) > 0){
array_push($errors,"Username is already recorded in our database");
return;
}
if(mysqli_num_rows($mail_checker) > 0){
array_push($errors,"Email Address is already recorded in our database");
return;
}
if(!preg_match("/^[a-zA-Z ]*$/",$username)){
array_push($errors,"The username is only derived from uppercase and lowercase characters");
return;
}
if(strlen($_POST['username']) < 5){
array_push($errors,"Username must be at least 5 characters long");
return;
}
if(strlen($_POST['username']) > 8){
array_push($errors,"Username must contain a minimum of 5 characters or a maximum of 12 characters");
return;
}
else if(strlen($_POST['username']) > 12){
array_push($errors,"Username must contain a minimum of 5 characters or a maximum of 12 characters");
return;
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
array_push($errors,"Invalid email format");
return;
}
if(strlen($_POST['password']) < 8){
array_push($errors,"The password must contain a minimum of 8 or a maximum of 16 characters");
return;
}
else if(strlen($_POST['password']) > 16){
array_push($errors,"The password must contain a minimum of 8 or a maximum of 16
characters");
return;
}
if($password != $repeatpassword){
array_push($errors,"");
return;
}
if(count($errors) == 0){
$password = password_hash($password,PASSWORD_BCRYPT);
$sql = "INSERT INTO users (username, email, password)
VALUES ('$username','$email','$password')";
mysqli_query($db,$sql);
$_SESSION['username'] = $username;
$_SESSION['success'] = " Welcome ".$username." ";
$_SESSION['profile_name'] = $username;
header('location: index.php');
}
}
if (isset($_POST['login'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if(empty($username)){
array_push($errors,"Username is required");
return;
}
if(empty($password)){
array_push($errors,"Password is required");
return;
}
if(count($errors) == 0){
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($db,$query);
if(mysqli_num_rows($result) > 0){
if(password_verify($password)){
$_SESSION['username'] = $username;
$_SESSION['success'] = " Welcome Back ".$username;
$_SESSION['profile_name'] = $username;
header('location: index.php');
}
}
else{
array_push($errors,"incorrect username or password");
}
}
}
每次对密码进行哈希处理时,都会创建一个新字符串 (hash),因此如果您尝试将经过哈希处理的密码与之前经过哈希处理的密码进行匹配,它将永远无法工作。
试试这个:
if (password_verify($_POST['password'], $result['password']))
//True if password is correct
$_POST['password'] 是提交表单中的明文密码。
$result['password'] 是您数据库中的散列密码。
请查看 PDO 的准备语句,你的代码真的很危险。
我创建了一个注册和登录系统! 注册没有问题。 我输入所需的用户名、所需的电子邮件、所需的密码并按回车键,按回车键后,我来到主页。 问题是当我按下注销按钮时,当离开按钮将我带到登录页面时,当我重新输入用户名和密码时,我收到 "incorrect username or password" 错误。
if (isset($_POST['register'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$repeatpassword = mysqli_real_escape_string($db, $_POST['repeatpassword']);
$username_checker = "SELECT * FROM users WHERE username='$username'";
$email_checker = "SELECT * FROM users WHERE email='$email'";
$name_checker = mysqli_query($db,$username_checker) or die(mysqli_error($db));
$mail_checker = mysqli_query($db,$email_checker) or die(mysqli_error($db));
if(empty($username)){
array_push($errors,"Username is required");
return;
}
if(empty($email)){
array_push($errors,"Email is required");
return;
}
if(empty($password)){
array_push($errors,"Password is required");
return;
}
if(mysqli_num_rows($name_checker) > 0){
array_push($errors,"Username is already recorded in our database");
return;
}
if(mysqli_num_rows($mail_checker) > 0){
array_push($errors,"Email Address is already recorded in our database");
return;
}
if(!preg_match("/^[a-zA-Z ]*$/",$username)){
array_push($errors,"The username is only derived from uppercase and lowercase characters");
return;
}
if(strlen($_POST['username']) < 5){
array_push($errors,"Username must be at least 5 characters long");
return;
}
if(strlen($_POST['username']) > 8){
array_push($errors,"Username must contain a minimum of 5 characters or a maximum of 12 characters");
return;
}
else if(strlen($_POST['username']) > 12){
array_push($errors,"Username must contain a minimum of 5 characters or a maximum of 12 characters");
return;
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
array_push($errors,"Invalid email format");
return;
}
if(strlen($_POST['password']) < 8){
array_push($errors,"The password must contain a minimum of 8 or a maximum of 16 characters");
return;
}
else if(strlen($_POST['password']) > 16){
array_push($errors,"The password must contain a minimum of 8 or a maximum of 16
characters");
return;
}
if($password != $repeatpassword){
array_push($errors,"");
return;
}
if(count($errors) == 0){
$password = password_hash($password,PASSWORD_BCRYPT);
$sql = "INSERT INTO users (username, email, password)
VALUES ('$username','$email','$password')";
mysqli_query($db,$sql);
$_SESSION['username'] = $username;
$_SESSION['success'] = " Welcome ".$username." ";
$_SESSION['profile_name'] = $username;
header('location: index.php');
}
}
if (isset($_POST['login'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if(empty($username)){
array_push($errors,"Username is required");
return;
}
if(empty($password)){
array_push($errors,"Password is required");
return;
}
if(count($errors) == 0){
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($db,$query);
if(mysqli_num_rows($result) > 0){
if(password_verify($password)){
$_SESSION['username'] = $username;
$_SESSION['success'] = " Welcome Back ".$username;
$_SESSION['profile_name'] = $username;
header('location: index.php');
}
}
else{
array_push($errors,"incorrect username or password");
}
}
}
每次对密码进行哈希处理时,都会创建一个新字符串 (hash),因此如果您尝试将经过哈希处理的密码与之前经过哈希处理的密码进行匹配,它将永远无法工作。
试试这个:
if (password_verify($_POST['password'], $result['password']))
//True if password is correct
$_POST['password'] 是提交表单中的明文密码。
$result['password'] 是您数据库中的散列密码。
请查看 PDO 的准备语句,你的代码真的很危险。