我正在为一个网站创建一个登录表单。在我尝试将安全性与password_hash()和password_verify()函数中内置的PHPs结合起来之前,验证工作很好。我使用bcrypt算法对上述函数进行加密。
问题是,当在登录表单password_verify中输入正确的用户名和密码时,会返回false,因此验证不成功,从而阻止登录。我到处找了很多,但没有找到任何解决方案。下面的代码(admin_login.php)管理登录表单并处理登录。
我在phpmyadmin控制面板中包含了我的代码和MySQL"登录"表结构的屏幕截图。
提前谢谢。
表格结构:
(作为新手,我没有代表发布图片,所以这里有一个gyazo链接:http://gyazo.com/a423e5ba38fe5200a8198b47a66fe75a)
admin_login.php
<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if (isset($_SESSION['id']) && $_SESSION['admin'] == 1) {
$userID = $_SESSION['id'];
$username = $_SESSION['username'];
header('Location:admin_panel.php');
}
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
// VALIDATES LOGIN CREDENTIALS //
/* $verify = password_verify('123', $trimmed);
var_dump($password);
var_dump($dbPassword);
var_dump($verify); */
// checks if user is valid in database and admin
if ($username == $dbUsername AND $verify && $admin = 1) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
?>
<?php
$pageTitle = "Casa Mirador | Admin";
include_once('inc/header.php');
?>
<h2 style="text-align: center;">Admin Login</h2>
<div class="login_section_one">
<div class="wrapper">
<!-------- ADMIN LOGIN FORM ---------->
<form method="POST" action="admin_login.php" id="admin_form">
<table class="form_login">
<tr>
<th>
<label for = "username"> Username </label>
</th>
<td>
<input type="text" name="username" id="username">
</td>
</tr>
<tr>
<th>
<label for = "password"> Password </label>
</th>
<td>
<input type="password" name="password" id="password">
</td>
</tr>
</table>
<input type="submit" id="submit" name="submit" value="Login">
</form>
</div>
<?php
include_once('inc/footer.php');
?>
这应该可以工作。
if (isset($_POST['submit'])) {
include_once("connection.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$sql = "SELECT id, username, password, admin FROM login WHERE username = '$username' AND activated = '1' AND admin = '1' LIMIT 1";
$query = mysqli_query($dbCon, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userID = $row[0];
$dbUsername = $row[1];
$dbPassword = $row[2];
$admin = $row[3];
}
$verify = password_verify($_POST['password'], $dbPassword); // This should work
if ( $verify ) { // You don't need to check username and is admin, because this is done in the query to the database.
$_SESSION['username'] = $username;
$_SESSION['id'] = $userID;
$_SESSION['admin'] = $admin;
header('Location:admin_panel.php');
die();
} elseif ($admin == 0) {
echo "Either you are not an admin user or you have entered an incorrect username/password combination. <br><br> <a href='index.php'>Click Me</a> to return to the homepage.";
//TODO: ADD LINK TO USER LOGIN PAGE
die();
} else {
echo "Incorrect username/password combo";
exit();
}
}
在这个代码中,没有定义$verify变量,它被注释掉了,所以这个条件语句转到'else'部分。此外,$dbUsername总是等于$username,因为它在$sql的WHERE子句中,所以您不需要再次检查它。
另一件事:您省略了一个=字符-更改
if ($username == $dbUsername AND $verify && $admin = 1) {
至
if ($username == $dbUsername AND $verify && $admin == 1) {
您将1分配给$admin,而不是检查$admin==1