1

我正在尝试将 Phpass 添加到我的网站,但无论我做什么,我都无法让 $check 布尔值返回 true 以让我实际登录,到目前为止,我已经设法用它加密我的密码并存储它在数据库上,但对其进行检查失败。

<?php

if(isset($_POST['Login'])){

    $EM = $_POST['Email'];

    // Password from form input
    $PW = $_POST["Password"];

    // Passwords should never be longer than 72 characters to prevent DoS attacks
    if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }

    // Just in case the hash isn't found
    $stored_hash = "*";

    // Retrieve the hash that you stored earlier
    $stored_hash = "this is the hash we stored earlier";

    // Check that the password is correct, returns a boolean
    $check = $hasher->CheckPassword($PW, $stored_hash);

    if ($check) {
    // passwords matched! show account dashboard or something

    $result = $con->query("select * from user where Email='$EM' AND Password='$PW'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    session_start();

    $_SESSION["UserID"] = $row['UserID'];

    header('Location: Account.php');


    } else {

     // passwords didn't match, show an error
    header('Location: Fail.php');
    }


}

因为我一直在尝试添加到现有登录名,所以我想知道我是否有多余的代码会破坏它?或者也许我只是把它搞砸了,因为无论我在登录时尝试什么,唯一会加载的是

header('Location: Fail.php');:|

提前致谢!

编辑:对,我有一个将散列密码保存到数据库的注册文件:

if(isset($_POST['Register'])){

    session_start();
    $FName  = $_POST['First_Name'];
    $LName  = $_POST['Last_Name'];
    $Email  = $_POST['Email'];

    // In this case, the password is retrieved from a form input
    $PW = $_POST["Password"];

    // Passwords should never be longer than 72 characters to prevent DoS attacks
    if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }

    // The $hash variable will contain the hash of the password
    $hash = $hasher->HashPassword($PW);

    if (strlen($hash) >= 20) {

    // Store the hash somewhere such as a database
    // The code for that is up to you as this tutorial only focuses on hashing passwords
    $sql = $con->query("INSERT INTO user (Fname, Lname, Email, Password)Values('{$FName}','{$LName}', '{$Email}', '{$hash}')");

    } else {

     // something went wrong

    }

    echo $hash;

//  $StorePassword = password_hash($PW, PASSWORD_BCRYPT, array('cost' => 10));



    header('Location: Login.php'); //Redirect here when registering

然后我希望从数据库中读取它,将其与输入的密码等进行比较。

如何从 mysqli db 中提取该信息以进行比较?并希望让它发挥作用?

这是我正在关注的教程:https ://sunnysingh.io/blog/secure-passwords

4

1 回答 1

0 

if(isset($_POST['Login'])){

    $EM = $_POST['Email'];

    // Password from form input
    $PW = $_POST["Password"];

    // Passwords should never be longer than 72 characters to prevent DoS attacks
    if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }

    $result = $con->query("select * from user where Email='$EM'");

    $row = $result->fetch_array(MYSQLI_BOTH);

    if ($row) {

        // Check that the password is correct, returns a boolean
        $check = $hasher->CheckPassword($PW, $row['Password']);

        if ($check) {
            // passwords matched! show account dashboard or something

            session_start();

            $_SESSION["UserID"] = $row['UserID'];

            header('Location: Account.php');
            exit;
        }
    }

     // passwords didn't match, show an error
    header('Location: Fail.php');

}
于 2016-02-06T17:30:48.100 回答