为什么 PHP PDO 没有从我的数据库中提取任何内容(更具体地说是 UserPassword 列)

Why is PHP PDO not pulling anything from my database (More specifically the UserPassword Column)

我想提取用户的哈希值(保存在 UserPassword 下)Picture of UserPassword column in DB 运行 通过 password_verify()。问题是,它没有 return 任何东西。这是我的代码: HTML:

   <div class="userInfo">
      <form method="post">
        <p>Username: </p>
        <input type="text" name="Username" required>
        <p>Password: </p>
        <input type="password" name="Password" required>
        <br><br>
        <input type="submit" name = "submit" value="Log In"></button>
      </form>
    </div>

PHP:

<?php
    if(isset($_POST['submit'])) {
      $tblusername = $_POST['Username'];
      $tblpasswordU = $_POST['Password'];

      $servername = "localhost";
      $username = "mealplan";
      $password = "";
      
      try {
        $conn = new PDO("mysql:host=$servername;dbname=mealplan", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $conn->prepare("SELECT UserName FROM tblUsers WHERE UserName = :tblusername");
        $stmt->bindParam(':tblusername', $tblusername);
        $stmt->execute();

        if($stmt->rowCount() > 0){
        }else{
          die("Incorrect Username or Password");
        }
        $stmt = $conn->prepare("SELECT UserPassword FROM tblUsers WHERE UserName = :username");
        $stmt->bindParam(':username', $tblusername);
        $row = $stmt->fetch(PDO::FETCH_ASSOC);
        if (password_verify($tblpasswordU, $row['UserPassword']) == true) {
            echo "Signed in successfully";
        } else {
            die("Incorrect username or password");
        }
      } catch(PDOException $e) {
        echo "<style>.hidden { visibility: visible; } .shown { visibility: hidden; font-size: 0px }</style>";
      }
    }
    ?>

我回应哈希和用户名是我测试的一部分。这是输出:不正确的用户名或密码 [] [123](123 是我的测试用户)

快速说明:$tblpasswordU 是用户输入的未经验证的密码。

保存在数据库中的密码是散列的,所以不能直接在SQL中匹配。您需要获取用户名的密码。然后你使用 password_verify() 检查用户输入的密码是否哈希到相同的东西。

此外,您必须从查询中获取行。

没有必要使用两个查询。只需使用一个查询来测试用户名是否存在并获取密码。

<?php
if(isset($_POST['submit'])) {
    $tblusername = $_POST['Username'];
    $tblpasswordU = $_POST['Password'];

    $servername = "localhost";
    $username = "mealplan";
    $password = "";
      
    try {
        $conn = new PDO("mysql:host=$servername;dbname=mealplan", $username, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $stmt = $conn->prepare("SELECT UserPassword FROM tblUsers WHERE UserName = :tblusername");
        $stmt->bindParam(':tblusername', $tblusername);
        $stmt->execute();
        $row = $stmt->fetch(PDO::FETCH_ASSOC);
        if (!$row) { // This is just for debugging, in production you shouldn't distinguish wrong username and wrong password
            die("Username not found");
        }
        if ($row && password_verify($tblpasswordU, $row['UserPassword'])) {
            echo "Signed in successfully";
        } else {
            die("Incorrect username or password");
        }
    } catch(PDOException $e) {
        echo "<style>.hidden { visibility: visible; } .shown { visibility: hidden; font-size: 0px }</style>";
    }
}
?>