我正在尝试将Phpass添加到我的网站,但无论我做什么,我都无法让$check布尔值返回true让我实际登录,到目前为止,我已经设法用它加密我的密码并将其存储在数据库中,但检查它失败了。
<?php
if(isset($_POST['Login'])){
$EM = $_POST['Email'];
// Password from form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
// Just in case the hash isn't found
$stored_hash = "*";
// Retrieve the hash that you stored earlier
$stored_hash = "this is the hash we stored earlier";
// Check that the password is correct, returns a boolean
$check = $hasher->CheckPassword($PW, $stored_hash);
if ($check) {
// passwords matched! show account dashboard or something
$result = $con->query("select * from user where Email='$EM' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);
session_start();
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
} else {
// passwords didn't match, show an error
header('Location: Fail.php');
}
}
因为我一直在尝试添加到现有登录名,所以我想知道我是否有多余的代码只是破坏它?或者也许我只是把它搞砸了,因为无论我在登录时尝试什么,唯一会加载的是
header('Location: Fail.php');:|
提前感谢!
编辑:对,我有一个将散列密码保存到数据库的寄存器文件:
if(isset($_POST['Register'])){
session_start();
$FName = $_POST['First_Name'];
$LName = $_POST['Last_Name'];
$Email = $_POST['Email'];
// In this case, the password is retrieved from a form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
// The $hash variable will contain the hash of the password
$hash = $hasher->HashPassword($PW);
if (strlen($hash) >= 20) {
// Store the hash somewhere such as a database
// The code for that is up to you as this tutorial only focuses on hashing passwords
$sql = $con->query("INSERT INTO user (Fname, Lname, Email, Password)Values('{$FName}','{$LName}', '{$Email}', '{$hash}')");
} else {
// something went wrong
}
echo $hash;
// $StorePassword = password_hash($PW, PASSWORD_BCRYPT, array('cost' => 10));
header('Location: Login.php'); //Redirect here when registering
然后我希望从数据库中读取它,将其与输入的密码等进行比较。
如何从 mysqli 数据库中提取该信息进行比较? 并希望它能工作?
这是我遵循的教程:https://sunnysingh.io/blog/secure-passwords
if(isset($_POST['Login'])){
$EM = $_POST['Email'];
// Password from form input
$PW = $_POST["Password"];
// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($PW) > 72) { die("Password must be 72 characters or less"); }
$result = $con->query("select * from user where Email='$EM'");
$row = $result->fetch_array(MYSQLI_BOTH);
if ($row) {
// Check that the password is correct, returns a boolean
$check = $hasher->CheckPassword($PW, $row['Password']);
if ($check) {
// passwords matched! show account dashboard or something
session_start();
$_SESSION["UserID"] = $row['UserID'];
header('Location: Account.php');
exit;
}
}
// passwords didn't match, show an error
header('Location: Fail.php');
}