最近我更新了我的登录系统使用password_hash(),但它不让我的用户登录,我曾经使用md5(),所以你可能会说它需要更新。因此,我将把相关代码留在下面,非常感谢您的帮助
Users.php代码
function recover($mode, $email) {
$mode = sanitize($mode);
$email = sanitize($email);
$user_data = user_data(user_id_from_email($email), 'first_name', 'user_id', 'username', 'email', 'email_code');
if ($mode == 'password') {
$generated_password = substr(password_hash(rand(999, 999999), CRYPT_BLOWFISH), 0, 14);
change_password($user_data['user_id'], $generated_password);
update_user($user_data['user_id'], array('password_recover' => '1'));
email($email, 'Your new password', "Hello " . $user_data['first_name'] . ",'n'nWe received a request to recover your account.'n'nYour new password is: " . $generated_password . "'n'n - FGS");
}
}
function change_password($user_id, $password) {
$user_id = (int)$user_id;
$password = password_hash($password, CRYPT_BLOWFISH);
mysql_query("UPDATE `users` SET `password` = '$password', `password_recover` = 0 WHERE `user_id` = $user_id");
}
function register_user($register_data) {
array_walk($register_data, 'array_sanitize');
$register_data['password'] = password_hash($register_data['password'], CRYPT_BLOWFISH);
$fields = '`' . implode('`, `', array_keys($register_data)) . '`';
$data = '''' . implode(''', ''', $register_data) . '''';
mysql_query("INSERT INTO `users` ($fields) VALUES ($data)");
email($register_data['email'], 'Your Account', "Hello " . $register_data['first_name'] . ",'n'nYour account is waiting moderation! Thanks for joining us. All you'll need to now is wait and we'll send you a email when your account has been activated just send a message from your GTA account and let us know that you registered your registration will only be successful if you are part of the FGS Crew if you decide to leave your account will become suspended 'n'n- FGS");
}
function login($username, $password) {
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = password_hash($password, CRYPT_BLOWFISH);
return mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"), 0 == 1) ? $user_id : false;
}
下代码
include ("$_SERVER[DOCUMENT_ROOT]/autoload.php");
logged_in_redirect();
if(isset($_GET['signin'])){
$errors[] = 'You need to be logged in to do that';
}
if(isset($_GET['relogin'])){
$errors[] = '<strong>There was a problem - </strong>Please try again, and if the problem persists then please contact ' . $title . '';
}
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true){
$errors[] = 'You need to enter your username and password';
} else if (user_exists($username) === false) {
$errors[] = 'That user doesn''t exist have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'Your account is awaiting moderator approval';
} else {
$login = login($username, $password);
if ($login === false) {
$errors[] = 'Username and/or password combination is incorrect';
} else if (user_suspended($username) === true) {
$errors[] = '<strong>Account Suspended - </strong>Your account has been suspended please contact support for more information';
} else {
$_SESSION['user_id'] = $login;
$user_id = $_SESSION['user_id'];
mysql_query("UPDATE `users` SET `online_now` = '1' WHERE `user_id` = $user_id");
header("Location: $url");
exit();
}
}
}
}
<form action="" method="post">
<h4>Log In</h4>
<input type="text" name="username" placeholder="Username" class="no-margin">
<input type="password" name="password" placeholder="Password" class="no-margin">
<input type="submit" value="Log In" class="btn no-margin">
</form>
当进入网站一旦我已经修复了错误,他们将被要求重置他们的密码使用忘记密码页面,我已经这样做了与测试帐户,它仍然不工作
哈希验证错误
password_hash()生成一些随机盐,与明文密码一起生成哈希。每次都不一样。
您应该在数据库中找到用户,从那里读取存储的哈希,然后使用password_verify()查看来自登录表单的明文密码是否导致存储在数据库中的相同哈希。
如果您使用password_needs_rehash()检查哈希算法或参数是否有所改进,然后再次哈希并存储密码,则可以加分。这将允许您的所有散列在用户登录后改进为更好的散列。如果没有明文密码,就无法做到这一点,而且只有在用户登录时才能拥有明文密码。
$_POST['username'] containing the username from the login form
$_POST['password'] containing the password from the login form
SELECT username, hash FROM users WHERE username = 'username' //do all the escaping
$user = mysqli_fetch_assoc(...);
if (password_verify($_POST['password'], $user['hash'])) {
// user has the correct password
} else {
// login fail
}
我不知道为什么你首先获得userid,然后计算行,然后做一些事情。您应该选择与输入的用户名相同的行,并使用password_verify()。
function login($username, $password) {
$username = sanitize($username);
$sql = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."' LIMIT 1");
$row = mysql_fetch_array($sql);
if(password_verify($password, $row['password']) === true) {
return $row['id'];
} else {
return false;
}
}
PS:停止使用已弃用的mysql_*函数PHP不再支持mysql扩展名了。看一看PDO
编辑。考虑使用PASSWORD_DEFAULT而不是CRYPT_BLOWFISH(它甚至可以使用该常量吗?)这样,PHP将始终使用最新最强的实现算法。
请注意,即使有更好的散列算法,您的实现也不是非常安全。这个问题和这个问题应该解释为什么,以及如何正确使用盐。
你不应该再使用mysql_*系列函数了。它们已被弃用。使用mysqli_*与准备好的查询或PDO代替。有关更多信息,请参阅此问题。
你的问题好像是打错字了。您正在传递
0 == 1作为mysql_result(..)的第二个参数。您可能希望在关闭的)后面有比较(== 1)。
当前代码:mysql_result(
mysql_query( "SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"
), 0 == 1
)
? $user_id : false;
应该是:
mysql_result(
mysql_query( "SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"
), 0
)
== 1 ? $user_id : false;