0

堆栈溢出。

我正在尝试为我的网站制作一个登录系统,使用 PHP 的password_*密码哈希/验证功能,但password_verify()即使我输入正确的密码,它也总是返回 false。

基本流程是: - signup.php 中的哈希密码(使用预设盐进行测试)

我知道这是非常不安全的(一旦它起作用,我会收紧它),但这是我的测试代码。

散列:(signup.php)

<?php
// include my custom MySQL function (it definitely works fine)
if($_REQUEST['username'] && $_REQUEST['password']):

    $db = connectMySQL(); // custom function, returns mysqli object for my DB
    if($db->connect_errno > 0){ 
        die('Unable to connect to database [' . $db->connect_error . ']'); 
    } 

    $username = $db->escape_string($_REQUEST['username']);

    $password = $db->escape_string($_REQUEST['password']);

    $sql = $db->prepare("UPDATE `users` SET `password` = ? WHERE `username` = ?"); 

    $hashed = password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!"));

    echo "<pre>".$password." Hashed: <pre>".$hashed."</pre><br><br>"; 

    $sql->bind_param('ss', $hashed, $username); 

    if(!$sql->execute()){ 
        die('There was an error running the query [' . $db->error . ']'); 
    } else { 
        echo "Successfully executed SQL"; 
    }

else: ?> 

<form method="GET" action="signup.php"><!--HORRENDOUSLY INSECURE--> 
    Username: <input type="text" name="username"><br> 
    New Password: <input type="password" name="password"><br> 
    <input type="submit">
</form> 

<?php endif; ?>

验证:(login.php)

<?php

if($_REQUEST['username'] && $_REQUEST['password']):

    $db = connectMySQL();

    if($db->connect_errno > 0){
        die('Unable to connect to database [' . $db->connect_error . ']');
    }

    $username = $db->escape_string($_REQUEST['username']);

    $password = $db->escape_string($_REQUEST['password']);

    $sql = $db->prepare("SELECT * FROM `users` WHERE `username` = ?");

    $sql->bind_param('s', $username);

    if(!$sql->execute()){
        die('There was an error running the query [' . $db->error . ']');
    }

    $result = $sql->get_result();
    $udata = array();
    while ($data = $result->fetch_assoc()) {
        var_dump($data);echo "<br><br>";
        $udata[] = $data;
    }

    echo "<pre>";

    var_dump($udata);

    echo "</pre>";

    echo "Password verify says <pre>";var_dump(password_verify($password, $udata['password']));

    echo "</pre><br>PW: <pre>".$password."</pre> / Hash: <pre>".$udata[0]['password']."</pre><br>";

    echo "Entered password:";var_dump($password);echo "<br>";

    echo "Hash SHOULD be:";var_dump(password_hash($_REQUEST_['password'], PASSWORD_DEFAULT, array("cost" => 10, "salt" => "PleaseDoNotTellAnyoneMySalt!")));    echo "<br>";

    if(password_verify($password, $udata[0]['password'])):
        echo "you are who you say you are";
    else:
        echo "wrong password, <a href='?'>try again</a>";
        echo "Password algo info:";var_dump(password_get_info($udata[0]['password']));echo "<br>";
    endif;

else: ?>

    <form method="GET" action="login.php"><!--INSECURE, USE POST AFTER TESTING-->
        Username: <input type="text" name="username"><br>
        Password: <input type="password" name="password"><br>
        <input type="submit">
    </form>

<?php endif; ?>

哈希肯定存储在数据库中,并且肯定可以正常检索,只是 password_verify() 没有任何内容。

我真的很感激这里的一些帮助。:)

谢谢。

4

1 回答 1

1

代码中发现的几个问题的列表:

使用$_REQUEST_['password']代替$_REQUEST['password']

使用 of$udata['password']代替$udata[0]['password'](仅与调试相关)。

根据评论,主要问题是(我认为)生成哈希时的第一项。

于 2015-12-09T12:21:28.087 回答