[当我尝试登录我的错误消息时说我输入了错误的密码,但是我输入了正确的密码,也许我使用了密码哈希PASSWORD_DEFAULT
<form class="form-signin" action="includes/User.php?task=login" method="POST">
<div class="form-label-group">
<label for="inputEmail">Email address</label>
<input type="email" name="email" id="inputEmail" class="form-control" placeholder="Email address" autofocus>
</div>
<div class="form-label-group">
<label for="inputPassword">Password</label>
<input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" >
</div>
<div class="custom-control custom-checkbox mb-3">
<input type="checkbox" class="custom-control-input" id="customCheck1">
</div>
<button class="btn btn-lg btn-primary btn-block text-uppercase" type="submit">Login</button>
<hr class="my-4">
</form>
我认为这段代码中有错误,也许这行$ hpass = password_hash($ pass,PASSWORD_DEFAULT);
$sql = "SELECT * FROM users WHERE username='$user' AND password='$hpass'";
if (isset($_GET['task']) && $_GET['task'] == "login") {
$user = $_POST['username'];
$pass = $_POST['password'];
$hpass = password_hash($pass, PASSWORD_DEFAULT);
$sql = "SELECT * FROM users WHERE username='$user' AND password='$hpass';";
$result = mysqli_query($conn, $sql);
$count = mysqli_num_rows($result);
if ($count == 1)
{
header("Location: personal.php");
}
else
{
echo "Username or password is incorrect!";
}
}
这不是您针对哈希验证密码的方式,因为password_hash()
每次都会生成一个新的salt。因此,尝试将其与SQL中存储在数据库中的哈希进行匹配是没有意义的。此外,您应该NEVER将用户提供的数据直接注入SQL中,因为这样会使您面临SQL注入漏洞以及基本的人为错误。例如,如果您的用户名是Mc'Lovin
,您的SQL查询将无意中失败。
相反,您需要做的只是选择带有用户名的行,获取密码字段(包含哈希密码),然后您需要对存储的哈希和用户提供的密码使用password_verify()
,以便验证它是正确的。
if (isset($_GET['task']) && $_GET['task'] == "login") {
// Lets use a prepared statement with parameterized query instead
$sql = "SELECT password FROM users WHERE username= ?";
if ($stmt= mysqli_prepare($conn, $sql)) { // statement was prepared successfully
mysqli_stmt_bind_param($stmt, "s", $_POST['username']); // bind the input
// now let's execute the statement
mysqli_stmt_execute($stmt);
// here we bind the result to a local variable
mysqli_stmt_bind_result($stmt, $storedHash);
// Now we just need to fetch the result from the database
mysqli_stmt_fetch($stmt);
/* If all is well then we should have the stored hash which we can now
compare safely against the user supplied password through password_verify()
which correctly determines if the input hashes properly against the stored hash
and also prevents other attack vectors like timing attacks, etc..
*/
if (password_verify($_POST['password'], $storedHash)) { // It's the right password :D
header("Location: personal.php");
} else { // It's the wrong password :(
echo "Username or password is incorrect!";
}
}
}
您的代码对sql注入开放,您需要使用prepare语句来防止注入:
这是一个简单的登录脚本,具有程序准备语句,并根据您的值,尝试使用比您更安全的方法。
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty($_POST["username"])){
echo "Please enter username.";
} else{
$username = htmlspecialchars($_POST["username"]);
}
// Check if password is empty
if(empty($_POST["password"])){
echo "Please enter your password.";
} else{
$password = htmlspecialchars($_POST["password"]);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT * password FROM members WHERE username = ?";
if($stmt = mysqli_prepare($conn, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = $username;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
// Password is correct, so start a new session
session_start();
// Store data in session variables
$_SESSION["loggedin"] = true;
$_SESSION["id"] = $id;
$_SESSION["username"] = $username;
// Redirect user to personal.php
header("location: personal.php");
} else{
// Display an error message if password is not valid
echo "The password you entered was not valid.";
}
}
} else{
// Display an error message if username doesn't exist
echo "No account found with that username.";
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
}
}