Password_Hash，Mysql，SetFetchMode，Password_verify

Question

在我被釘在十字架上之前，我已經有一個星期了，如果有人能幫上忙，我會很感激。我也閱讀了關於這個平臺上所有關於password_hash和password_verify的文章，但是沒有一個解決方案適用於我，從字符串長度和數據庫長度等等，所以我決定發佈我的問題。

我正在寫登錄腳本，我用password_verify;我剛剛學會了PHP的安全性，並希望改進我的代碼。

每次我嘗試登錄時，它都不會登錄。

public function create() { 

    // Don't forget your SQL syntax and good habits: 
    // - INSERT INTO table (key, key) VALUES ('value', 'value') 
    // - single-quotes around all values 
    // - escape all values to prevent SQL injection 
    /* $sql = "INSERT INTO users (username, password, first_name, last_name) 
         VALUES(?, ?, ?, ?)";*/ 
    $sql = "INSERT INTO users (username, password, email, date_created) 
         VALUES(:username, :password, :email, :date_created)"; 
    try { 
     // prepare sql and bind parameters 
     $core = ConnectionManager::getInstance(); 
     $stmt = $core->con->prepare($sql); 
     /*$stmt = $db->prepare("INSERT INTO users (id, username, password, first_name, last_name) 
      VALUES (:id, :username, :password, :first_name, :last_name");*/ 
     //$stmt->bindParam(':id', 1); 

     $username = $this->username; 
     $password = password_hash($this->password, PASSWORD_BCRYPT); 
     $email = $this->email; 
     $date_created = strftime("%Y-%m-%d %H:%M:%S", time()); 

     /*$username = "boiy"; 
     $password = password_hash("redrum", PASSWORD_BCRYPT); 
     $email = "bdboiy@gmail.com"; 
     $date_created = strftime("%Y-%m-%d %H:%M:%S", time());*/ 

     $stmt->bindParam(':username', $username, PDO::PARAM_STR); 
     $stmt->bindParam(':password', $password, PDO::PARAM_STR); 
     $stmt->bindParam(':email', $email, PDO::PARAM_STR); 
     $stmt->bindParam(':date_created', $date_created, PDO::PARAM_STR); 

     if($stmt->execute()) { 
      $this->id = $core->con->lastInsertId(); 
      echo "New records created successfully"; 
      return true; 
     } else { 
      return false; 
     } 

    } catch (PDOException $e) { 
     echo "Insert Error: " . $e->getMessage(); 
    } 
} 

這是爲了創建一個新用戶。有效。

然後我試圖登錄用戶：

if($session->is_logged_in()) {redirect_to("admin.php");} 

// Remember to give your form's submit tag a name="submit" attribute! 
if (isset($_POST['submit'])) { // Form has been submitted. 

    $username = trim($_POST['username']); 
    $password = trim($_POST['password']); 
    $YRJWA = "YRJWA"; 
    $string = "$2y$10$$YRJWA/EJQGkmqev6VlpteOXHwF6DeQWcU1x1uGqmOdY4CDK5.oJYi"; 

    // Check database to see if username/password exist. 
    $found_user = User::authenticate($username, $string); 


    if ($found_user) { 
     //if (password_verify($password, $found_user->password)) { 
      $session->login($found_user); 
      log_action('Login', "{$found_user->username} logged in."); 
      redirect_to("admin.php"); 
     //} 
    } else { 
     // username/password combo was not found in the database 
     $message = "Username/password combination incorrect."; 
    } 

} else { // Form has not been submitted. 
    $username = ""; 
    $password = ""; 
} 

當我做到這一點，這是行不通的。 當我把password_verify，它不起作用，所以我評論它在上面的代碼中看到。

然後我創建了一個新的頁面，並測試了我的代碼有：

$YRJWA = "YRJWA"; 
$string = "$2y$10$$YRJWA/EJQGkmqev6VlpteOXHwF6DeQWcU1x1uGqmOdY4CDK5.oJYi"; 
//$string = 'redrum'; 
echo "<hr>"; 
$found_user = User::authenticate('boiy', $string); 
print_r($found_user); 
echo "<br>"; 
/*echo strlen($found_user->password);*/ 
/*echo utf8_encode($found_user->password); 
echo utf8_decode($found_user->password);*/ 
echo "<br/>"; 
//echo substr($found_user->password, 0, 60); 
var_dump($found_user->password); 

echo "<br>"; 
if(password_verify('redrum', $found_user->password)) { 
    echo "Valid"; 
} else { 
    echo "Invalid"; 
} 
ConnectionManager::close(); 

當我直接用密碼從數據庫，它返回正確的數據，並打印「有效」。

當我刪除了評論，並嘗試「redum」它給這個錯誤

注意：試圖讓用C非對象的屬性：\ XAMPP \ htdocs中\財富加\私人\的index.php上線36 NULL

注意：試圖讓非對象的屬性在C：\ XAMPP \ htdocs中\財富加\就行私人\的index.php 39 無效

public static function authenticate($username="", $password="") { 
    $sql = "SELECT username, password FROM users WHERE username = :username AND password = :password LIMIT 1"; 
    try { 

      $core = ConnectionManager::getInstance(); 
      $stmt = $core->con->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); 
      $stmt->execute([':username' => $username, ':password' => $password]); 
      $stmt->setFetchMode(PDO::FETCH_CLASS, "User"); 
      $users = $stmt->fetch(); 
     //if (password_verify($password, $users->password)) { 
      return $users; 
     //} 
    //return !empty($users) ? array_shift($users) : false; 
    }catch (PDOException $e) { 
     echo "Error: " . $e->getMessage(); 
    } 
} 

Answer 1

如果保存散列密碼，則無法通過密碼查找它。你需要做的是獲取用戶記錄，然後使用password_verify驗證密碼。

你甚至有這樣的代碼在那裏的殘疾：

public static function authenticate($username, $password) { 
    try { 
     $core = ConnectionManager::getInstance(); 
     $stmt = $core->con->prepare("SELECT password FROM users WHERE username = :username";, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)); 
     $stmt->execute([ ':username' => $username ]); 
     $stmt->setFetchMode(PDO::FETCH_CLASS, "User"); 

     $user = $stmt->fetch(); 

     if (password_verify($password, $user['password'])) { 
      return $users; 
     } 
    } catch (PDOException $e) { 
     echo "Error: " . $e->getMessage(); 

     return false; 
    } 
} 

記住，添加的東西像username一個UNIQUE約束，你將不必擔心LIMIT 1，因爲這將是不可能拿到兩行。