我正在为我正在创建的页面创建一个php函数,在该页面中注册用户并将他们的密码散列到mysql数据库users中。注册部分工作得很好,我看到用户被创建,他们的密码被散列,但当我尝试使用login.php并使用我保存的相同密码时,它不起作用。下面是我放在function.php中的代码:
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = esc($_POST['username']);
$password_1 = esc($_POST['password_1']);
$password_2 = esc($_POST['password_2']);
// form validation: ensure that the form is correctly filled
if (empty($username)) { array_push($errors, "Uhmm...We gonna need your username"); }
if (empty($password_1)) { array_push($errors, "uh-oh you forgot the password"); }
if ($password_1 != $password_2) { array_push($errors, "The two passwords do not match");}
// Ensure that no user is registered twice.
// the email and usernames should be unique
$user_check_query = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$result = mysqli_query($conn, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = password_hash($password_1, PASSWORD_DEFAULT);//encrypt the password before saving in the database
$user_dir = $_POST['username'];
$query = "INSERT INTO users (username, password, user_dir, status, admin)
VALUES('$username', '$password', '$user_dir', 'OPEN', 'N')";
mysqli_query($conn, $query);
// get id of created user
$reg_user_id = mysqli_insert_id($conn);
// put logged in user into session array
$_SESSION['user'] = getUserById($reg_user_id);
// if user is admin, redirect to admin area
if ( in_array($_SESSION['user']['admin'], ["Y", "N"])) {
$_SESSION['message'] = "You are now logged in";
// redirect to admin area
header('location: ' . BASE_URL . 'admin/dashboard.php');
// exit(0);
} else {
$_SESSION['message'] = "You are now logged in";
// redirect to public area
// header('location: index.php');
exit(0);
}
}
}很好用,但不起作用的部分是my login.php的登录函数:
// LOG USER IN
if (isset($_POST['login_btn'])) {
$username = esc($_POST['username']);
$password = esc($_POST['password']);
if (empty($username)) { array_push($errors, "Username required"); }
if (empty($password)) { array_push($errors, "Password required"); }
if (empty($errors)) {
Here is the problem--> $password = password_hash($password, PASSWORD_DEFAULT); // encrypt password
$sql = "SELECT * FROM users WHERE username='$username' and password='$password' LIMIT 1";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// get id of created user
$reg_user_id = mysqli_fetch_assoc($result)['id'];
// put logged in user into session array
$_SESSION['user'] = getUserById($reg_user_id);
// if user is admin, redirect to admin area
if ( in_array($_SESSION['user']['admin'], ["Y", "N"])) {
$_SESSION['message'] = "You are now logged in";
// redirect to admin area
// header('location: ' . BASE_URL . '/admin/dashboard.php');
exit(0);
} else {
$_SESSION['message'] = "You are now logged in";
// redirect to public area
// header('location: index.php');
exit(0);
}
} else {
array_push($errors, 'Wrong credentials');
}
}
}我想我的问题肯定是:
$password = password_hash($password, PASSWORD_DEFAULT); // encrypt password我试着用
$password = password_verify($password, mysqli_num_rows($result);什么也没发生,但我知道password\u verify函数的第2部分将$password与其在表中的位置相匹配,我假定该位置是行(因此尝试使用num\u行)。
非常感谢您的帮助。
2条答案
按热度按时间uqzxnwby1#
首先,我要检查整个散列是否正确地存储在mysql中。官方文件
password_hash()推荐varchar(255). 在大多数情况下,mysql不会抱怨,如果你试图INSERT大于列大小的哈希字符串。它只需执行静默截断并继续执行INSERT.如果密码哈希正确插入,则包含sql查询的原始代码:
应该有用。
jxct1oxe2#
补充
password_verify()验证登录,而不仅仅是sql一个。更新代码: