密码正确时显示PHP登录验证消息

问题描述 投票:1回答:1

我已经使用PHP为我的网站创建了一个登录页面。对于验证,如果用户名不存在,密码错误或用户未输入任何一个,我希望显示错误消息。除了验证密码是否正确之外,我的大部分验证工作都可以进行。我使用的代码如下。我相信问题在于password_verify if语句。即使密码正确,也会出现错误消息,提示用户密码不正确。

<?php
// Initalise session
session_start();

//Check if the user is already logged in, if yes then redirect to members page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
header("location: members.php");
exit;
}

//Include config file
require_once "config.php";

//Define variables and initalise with empty values
$username = $password = "";
$username_err = $password_err = "";

//Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){

   //Check if username is empty
   if(empty(trim($_POST["username"]))){
      $username_err = "Please enter your username.";
   } else{
      $username = trim($_POST["username"]);
   }

   //Check if password is empty
   if(empty(trim($_POST["password"]))){
      $password_err = "Please enter your password.";
   } else{
      $password = trim($_POST["password"]);
   }

//Validate credentials
if(empty($username_err) && empty($password_err)){
    //Prepare a select statement
    $sql = "SELECT username, password FROM users WHERE username = ?";

    if($stmt = $mysqli->prepare($sql)){
        //Bind variables to the prepared statement as parameters
        $stmt->bind_param("s", $param_username);

        //Set parameters
        $param_username = $username;

        //Attempt to execute the prepared statement
        if($stmt->execute()){
            //Store result
            $stmt->store_result();

            //Check if username exists, if yes then verify password
            if($stmt->num_rows == 1){
                //Bind result variables
                $stmt->bind_result($username, $password);

                if($stmt->fetch()){
                    if(password_verify($password, $_POST['password'])){
                        //Password is correct, so start a new session
                        session_start();

                        //Store data in session variables
                        $_SESSION["loggedin"] = true;
                        $_SESSION["username"] = $username;

                        //Redirect user to members page
                        header("location: members.php");
                    } else {
                        //Display an error message if password is not valid
                        $password_err = "The password you entered was not valid.";
                    }
                }
            } else{
                //Display an error message if username doesn't exist
                $username_err = "No account found with that username.";
            }
        } else{
            echo "Oops! Something went wrong. Please try again later.";
        }

        //Close statement
        $stmt->close();
    }
}

//Close connection
$mysqli->close();
}
 ?>
php validation authentication password-hash
1个回答
2
投票
if(password_verify($password, $_POST['password'])){

应该是

if(password_verify($_POST['password'], $password)){


NOTES
在散列之前,不必对它们进行escape passwords或使用任何其他清除机制。这样做更改密码,并导致不必要的附加编码。
Password hashes in PHP are at least 60 characters long,请确保存储密码的列较大,以便处理将来的哈希算法。 VARCHAR(255)TEXT有足够的存储空间以容纳将来的哈希。
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.