password_verify() 即使您输入了正确的值,也总是返回 False
password_verify() False is always returned even if you enter the correct value
谁能告诉我为什么即使输入了正确的值我仍然返回 FALSE?
在执行这段代码之前,将密码存入数据库。
$encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT);
<?php
//From Android to php
$user_id = $_POST["user_id"];
$user_pw = $_POST["user_pw"];
$statement = mysqli_prepare($con, "SELECT user_pw FROM USER WHERE user_id = $user_id");
mysqli_stmt_execute($statement);
mysqli_stmt_store_result($statement);
//USERDB contains the password that has already been hashed.
$response = array();
if(password_verify($user_pw, $statement)) {
$response["success"] = true;
$response["user_id"] = $user_id;
$response["user_pw"] = $user_pw;
echo json_encode($response);
} else {
$response["success"] = false;
echo json_encode($response);
}
?>
>
正如所指出的那样,您错过了通过在 sql 查询中直接嵌入未经处理的用户输入来使用准备好的语句的好处 - 在 sql 中使用占位符并将您的输入数据绑定到该语句.
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST["user_id"], $_POST["user_pw"] ) ){
# use a placeholder in the sql for the user supplied data
$sql='select `user_pw` from `user` where `user_id`=?';
# attempt to create the prepared statement
$stmt=$con->prepare( $sql );
$response=[
'success' => false,
'user_id' => false,
'user_pw' => false
];
if( $stmt ){
# bind the user data to the placeholder & execute the query
$stmt->bind_param( 's', $_POST["user_id"] );
$res=$stmt->execute();
# process the result & bind new variables to each field in recordset
if( $res ){
$stmt->store_result();
$stmt->bind_result( $pwd );
$stmt->fetch();
# check the supplied password against hash from db
$status=password_verify( $_POST["user_pw"], $pwd );
if( $status ){
$response=[
'success' => $status,
'user_id' => $_POST["user_id"],
'user_pw' => $_POST["user_pw"]
];
}
$stmt->free_result();
$stmt->close();
}
}else{
exit('Failed to create sql statement');
}
exit(json_encode($response));
}
?>
谁能告诉我为什么即使输入了正确的值我仍然返回 FALSE?
在执行这段代码之前,将密码存入数据库。 $encrypted_pw = password_hash ($user_pw, PASSWORD_DEFAULT);
<?php
//From Android to php
$user_id = $_POST["user_id"];
$user_pw = $_POST["user_pw"];
$statement = mysqli_prepare($con, "SELECT user_pw FROM USER WHERE user_id = $user_id");
mysqli_stmt_execute($statement);
mysqli_stmt_store_result($statement);
//USERDB contains the password that has already been hashed.
$response = array();
if(password_verify($user_pw, $statement)) {
$response["success"] = true;
$response["user_id"] = $user_id;
$response["user_pw"] = $user_pw;
echo json_encode($response);
} else {
$response["success"] = false;
echo json_encode($response);
}
?>
>
正如所指出的那样,您错过了通过在 sql 查询中直接嵌入未经处理的用户输入来使用准备好的语句的好处 - 在 sql 中使用占位符并将您的输入数据绑定到该语句.
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST["user_id"], $_POST["user_pw"] ) ){
# use a placeholder in the sql for the user supplied data
$sql='select `user_pw` from `user` where `user_id`=?';
# attempt to create the prepared statement
$stmt=$con->prepare( $sql );
$response=[
'success' => false,
'user_id' => false,
'user_pw' => false
];
if( $stmt ){
# bind the user data to the placeholder & execute the query
$stmt->bind_param( 's', $_POST["user_id"] );
$res=$stmt->execute();
# process the result & bind new variables to each field in recordset
if( $res ){
$stmt->store_result();
$stmt->bind_result( $pwd );
$stmt->fetch();
# check the supplied password against hash from db
$status=password_verify( $_POST["user_pw"], $pwd );
if( $status ){
$response=[
'success' => $status,
'user_id' => $_POST["user_id"],
'user_pw' => $_POST["user_pw"]
];
}
$stmt->free_result();
$stmt->close();
}
}else{
exit('Failed to create sql statement');
}
exit(json_encode($response));
}
?>