我有以下代码注册,它散列密码,我可以看到在数据库中成功散列
function newUser() {
$forename = $_POST['forename'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$securityq = $_POST['securityq'];
$securitya = $_POST['securitya'];
$password = $_POST['password'];
$hash = password_hash ($password, PASSWORD_BCRYPT );
$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$hash')";
$data = mysql_query ($query)or die(mysql_error());
if($data)
{
}
}
和下面的代码是我的登录页面:
$email = $_POST['email'];
$password = $_POST['pass'];
function SignIn()
{
session_start();
if (!empty($_POST['email']))
{
$query = mysql_query ("SELECT * FROM admin where email = '$_POST[email]' AND password = '$_POST[pass]'");
$row = mysql_fetch_array ($query);
if(!empty($row['email']) AND !empty($row['password']))
{
$_SESSION['email'] = $row['password'];
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Successful Login')
window.location.href='adminhome.php';
</SCRIPT>");
}
else
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('Invalid Login Credentials')
window.location.href='adminsignin.php';
</SCRIPT>");
}
}
}
if(isset($_POST['submit']))
{
SignIn();
}
但是我用密码根本无法登录。我已经摆弄了代码的签名,但找不到我需要改变来解决这个问题,非常感谢,提前。
您从未散列登录表单提供的密码,因此您正在执行
if (real password == hashed string)
永远不会匹配。你需要一些像
这样的东西$hash = password_hash ($_POST['password'], PASSWORD_BCRYPT );
$sql = "SELECT ... WHERE hash='$hash'";
当然,你有大开的SQL注入攻击漏洞,所以你的登录表单是完全无用的。
使用SQL语句搜索散列密码是不可能的,因为散列是加盐的。相反,您可以从数据库读取散列,然后检查该散列是否与提供的密码匹配:
SELECT password FROM admin where email = ?
使用数据库中的这个哈希值,您可以验证密码:
$isPasswordCorrect = password_verify($_POST[pass], $existingHashFromDb);