Codeigniter中的密码验证

dffbzjpn  于 2023-06-03  发布在  其他
关注(0)|答案(3)|浏览(205)

大家好,我有这个问题,当我验证登录在codeigniter,似乎它不检查所需的密码在我的数据库。所需的密码在我的数据库是散列使用此

$password_hash = password_hash($password, PASSWORD_BCRYPT);

我也使用这个哈希来测试它的能力和安全性。
在我的日志视图中的代码是:

<div class="container">
  <div class="card card-login mx-auto mt-5">
    <div class="card-header">Login</div>
    <div class="card-body">
      <form method = "post" action=<?php echo base_url("Ec_controller/login"); ?> >
        <div class="form-group">
          <label for="Username">Username</label>
          <input class="form-control" id="username" name="username" type="text" aria-describedby="emailHelp" placeholder="Enter Username">
        </div>
        <div class="form-group">
          <label for="Password">Password</label>
          <input class="form-control" id="password" name= "password" type="password" placeholder="Enter Password">
        </div>
        <div class="form-group">
          <div class="form-check">
            <label class="form-check-label">
              <!-- <input class="form-check-input" type="checkbox"> Remember Password</label> -->
          </div>
        </div>        
        <input type="submit" name="submit" id="submit" class="btn btn-primary btn-xm" value="Log In" />
      </form>
      <div class="text-center">
        <!-- <a class="d-block small" href="#">Forgot Password?</a> -->
      </div>
    </div>
  </div>
</div>

在我的控制器上:

public function login(){

    $this->load->library('form_validation');

    $this->form_validation->set_rules('username', 'Username', 'required|trim|callback_validate_credentials');
    $this->form_validation->set_rules('password', 'Password', 'required|trim');

    $username = $this->input->post('username');
    $password = $this->input->post('password');
    $user_id ="";

    if($this->form_validation->run()){

            $data = array(
                'log_username' => $username,
                'is_logged_in' =>1

            );
            $this->session->set_userdata($data);
            $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->get();


            foreach($sql2->result() as $user_level){

                $user_id = $user_level->log_userlevel;

            }
            if($user_id == 1){

                redirect('Ec_controller/view_admin');

            }elseif ($user_id == 2) {

                redirect('Ec_controller/view_it');
            }else{

                redirect("Ec_controller/index");
            }

    }else{

        redirect('Ec_controller/index');
    }

}

public function validate_credentials(){

    $this->load->model('Ec_model');

    if($this->Ec_model->can_log_in()){
        return true;
    }else{
        $this->form_validation->set_message('validate_credentials', '<font color=red>Incorrect username/password</font>');
        return false;
    }
}

关于我的模型:
public function getString(){

$this->db->where('log_username', $this->input->post('username'));
$this->db->where('log_password', password_verify($this->input->post('password'), PASSWORD_BCRYPT));       
$query = $this->db->get('ec_login');

  if($query->num_rows() == 1)
   {        
     return true;
   }else{
      return false;
   }
}

当我把用户名它验证所需的用户名和唯一的问题是密码,无论我把密码它验证和重定向到特定的页面/视图,这听起来很疯狂。一点帮助和一点解释会有很大的帮助。

waxmsbnn

waxmsbnn1#

解决了
我是如此完全愚蠢的没有仔细阅读PHP手册上的password_verify()的使用。我现在终于明白了这是我对我的问题的回答,一个更新的问题。

public function login(){

$this->load->library('form_validation');

$this->form_validation->set_rules('username', 'Username', 'required|trim');
$this->form_validation->set_rules('password', 'Password', 'required|trim');

$username = $this->input->post('username');
$password = $this->input->post('password');
$user_id ="";

if($this->form_validation->run()!= true){

        redirect('Ec_controller/index');

}else{


        $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                         ->from("ec_login")
                         ->where("log_username", $username)
                         ->get();


        foreach($sql2->result() as $user_level){

            $user_id = $user_level->log_userlevel;
            $user_password_db = $user_level->log_password;

        }

        $data = array(

            'log_username'  =>$username,
            'log_userlevel' =>$user_id,
            'log_password'  =>$user_password_db,
            'is_logged_in'  =>1

        );
        $this->session->set_userdata($data);

        if(password_verify($password,$user_password_db) && $user_id == 1){

            redirect('Ec_controller/view_admin');

        }elseif (password_verify($password,$user_password_db) && $user_id == 2) {

            redirect('Ec_controller/view_it');
        }else{

            redirect("Ec_controller/index");
        }



}

}
这让我头疼,但这是值得的,我对结果感到高兴。

ki1q1bka

ki1q1bka2#

在登录函数中,您不会根据数据库中的值检查密码,因此查询只是匹配用户名而忽略密码。您需要将以下内容添加到db查询中:

$password_hash = password_hash($password, PASSWORD_BCRYPT);
...
->where('log_password', $password_hash)

您还应该移动这一行:$this->session->set_userdata($data);到查询下面,并将其放入if语句中:

if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}

所以整个事情看起来像:

$password_hash = password_hash($password, PASSWORD_BCRYPT);

$sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->where('log_password', $password_hash)
                             ->get();
if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}
1szpjjfi

1szpjjfi3#

callback in your controller:

public function password_check($str)
{
   if (preg_match('#[0-9]#', $str) && preg_match('#[a-zA-Z]#', $str)) {
     return TRUE;
   }
   return FALSE;
}
Then, update your rule to use it:

$this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]|min_length[8]|alpha_numeric|callback_password_check');

相关问题