当我注册密码时,我在登录页面中使用password_hash时遇到问题,但是当我登录时,它会在我的代码中运行 else 部分
这是我的登录代码
function login(){
global $db, $username, $errors, $disable, $hashed_password;
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = password_verify($password, $hashed_password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_status'] == 'Active') {
$_SESSION['user'] = $logged_in_user;
}else{
array_push($disable, "Your Account has been disabled");
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
这是我散列密码的部分
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
使用预准备语句,然后从数据库中获取散列密码,并将其与password_verify()
中的$_POST['password']
进行匹配。
一般来说,不鼓励使用 global
- 您应该将参数传递给函数。
function login(){
global $db, $errors, $disable;
if (isset($_POST['username'])) {
$stmt = $db->prepare("SELECT id, password, user_status FROM users WHERE username=?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$stmt->bind_result($user_id, $hashed_password, $user_status);
if ($stmt->fetch() && password_verify($_POST['password'], $hashed_password)) {
if ($user_status == 'Active') {
$_SESSION['user'] = $user_id;
} else {
$disable[] = "Your Account has been disabled";
}
} else {
$errors[] = "Wrong username/password combination";
}
$stmt->close();
}
}