1. 首頁
  2. 問答
  3. 驗證並創建哈希密碼錯誤,我可以用哈希密碼創建一個帳戶,但是,我無法驗證它?

驗證並創建哈希密碼錯誤,我可以用哈希密碼創建一個帳戶,但是,我無法驗證它?

2016-12-20 39 views
0 
<?php 
require "Common.php"; 
$player_username = $_POST ["usernamePost"]; 
$player_password = $_POST ["passwordPost"]; 
$hashed_password = password_hash($player_password, PASSWORD_DEFAULT); 

$conn = new mysqli ($server_host, $server_username, $server_password, $server_dbName); 

$result = mysqli_query ($conn, "SELECT * FROM users WHERE Username ='$player_username' and Password = ''"); 
$count = mysqli_num_rows($result); 

if ($count == 1) { 
    while ($row = mysqli_fetch_assoc ($result)) { 
     if (password_verify($player_password, $hashed_password)) { 
      echo "Signing in...<br>"; 
      echo "ID:".$row ['ID'] . "|Username:".$row ['Username'] . "|Score:".$row ['Score'] . "|Status:".$row ['Status']; 
     } 
    } 
} 
else { 
    echo "Incorrect username or password."; 
} 
?>

第二個代碼段:驗證並創建哈希密碼錯誤,我可以用哈希密碼創建一個帳戶,但是,我無法驗證它?

<?php 
require "Common.php"; 
$player_username = $_POST ["usernamePost"]; 
$player_password = $_POST ["passwordPost"]; 
$hashed_password = password_hash($player_password, PASSWORD_DEFAULT); 

$conn = new mysqli ($server_host, $server_username, $server_password, $server_dbName); 
    $queryCode = "SELECT * FROM users WHERE Username = '$player_username'"; 
    $query = mysqli_query ($conn, $queryCode); 
    if (mysqli_num_rows($query) > 0) { 
     echo "Username already exists."; 
    } else { 
     $sql = "INSERT INTO users (Username, Password) 
     VALUES ('".$player_username."','".$hashed_password."')"; 
     $result = mysqli_query ($conn,$sql); 
     echo "User created."; 
    } 
?>

我可以創建一個帳戶與哈希密碼,但是,我不能用它登錄。我在本網站上查看了有關我的問題的每篇文章。這是要麼我看着錯誤的線索,要麼我只是不明白他們在做什麼。

來源

2016-12-20 Omar Dajani

+0

確保在你的數據庫中的字段寬至少60個字符。您應該真的使用'VARCHAR(255)'來說明將來散列中的變化。 –

+2

從你的SELECT查詢中刪除這個''和Password =''「)' –

+0

另外,你有一些令人討厭的SQL注入漏洞,請參閱:[我怎樣才能防止SQL注入PHP?](http://stackoverflow.com/q/60174/3155639) –

回答

4

無法驗證散列密碼,因爲你是選擇具有空白密碼的用戶:

$result = mysqli_query ($conn, "SELECT * FROM users WHERE Username ='$player_username' and Password = ''");

從查詢中刪除密碼測試:

<?php 
require "Common.php"; 
$player_username = $_POST ["usernamePost"]; 
$player_password = $_POST ["passwordPost"]; 
$hashed_password = password_hash($player_password, PASSWORD_DEFAULT); 

$conn = new mysqli ($server_host, $server_username, $server_password, $server_dbName); 

$result = mysqli_query ($conn, "SELECT * FROM users WHERE Username ='$player_username'"); 
$count = mysqli_num_rows($result); 

if ($count == 1) { 
    $row = mysqli_fetch_assoc ($result); 
    if (password_verify($player_password, $row['hashed_password'])) { 
     echo "Signing in...<br>"; 
     echo "ID:".$row ['ID'] . "|Username:".$row ['Username'] . "|Score:".$row ['Score'] . "|Status:".$row ['Status']; 
    } 
} else { 
    echo "Incorrect username or password."; 
}

既然你只能返回一行你有太多的代碼。不需要一個while循環,你必須測試存儲在數據庫$row['hashed_password']中的密碼。

另外:

Little Bobbyyour script is at risk for SQL Injection Attacks.瞭解prepared報表MySQLi。即使escaping the string也不安全! Don't believe it?

編輯:下面是一個使用準備好的聲明和適當的錯誤檢查的例子:

require "Common.php"; 
$player_username = $_POST ["usernamePost"]; 
$player_password = $_POST ["passwordPost"]; 

$conn = new mysqli($server_host, $server_username, $server_password, $server_dbName); 

/* check connection */ 
if (mysqli_connect_errno()) { 
    echo "Connect failed: ", mysqli_connect_error()); 
    exit(); 
} 

$stmt = $conn->prepare("SELECT * FROM users WHERE Username =?"); // prepare with a placeholder for the variable 
$stmt->bind_param('s', $player_username); // bind the variable 
$stmt->execute(); // execute the query 
$row = $stmt->fetch_assoc(); // get the associative array 
if (password_verify($player_password, $row['hashed_password'])) { 
    echo "Signing in...<br>"; 
    echo "ID:".$row ['ID'] . "|Username:".$row ['Username'] . "|Score:".$row ['Score'] . "|Status:".$row ['Status']; 
} else { 
    echo "Incorrect username or password."; 
}

請記住,有一對夫婦的編碼和執行準備語句的方法。使用你最熟悉的方法。

Proper Password Preparation with PHP

The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger now will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

設置密碼字段數據庫中的要大,例如

`password` text DEFAULT NULL

來源

2016-12-20 18:33:39

+0

謝謝你的幫助!你太棒了!我將密碼的長度更改爲255個字符,因爲看起來我可能不得不爲此腳本添加更多安全性。你有什麼建議可以爲這個腳本或我的註冊腳本添加更多的安全性嗎?我應該使用什麼算法?再次感謝你的幫助! :) –

+0

點擊鏈接瞭解如何爲您的所有查詢創建準備好的語句。這是你可以做的最大的事情來幫助你的腳本安全。 –

+0

謝謝!我只是看了你提供給我的維基百科鏈接。我不太清楚準備好的陳述將如何以及在何處輸入。他們會在上面的login.php腳本中替換結果變量嗎?謝謝:) –

相關問題

 相關問題