为什么其他帖子没有帮助? 其他帖子没有帮助,因为一个人问,因为没有工作,尽管有很多类似的问题。
更多细节 我想要做的是让用户使用他的密码登录。但是,密码在数据库中使用bCrypt进行哈希处理。
当我尝试输入真实密码时,它不起作用,并说密码不正确。
但是,当我尝试输入哈希密码时。它说:“成功登录”。
如何使用真实密码登录而不是哈希?!
码 的login.php
<form method="post" action="loginsession.php">//login
<p>Username <input type="text" name="uid" size="20"> </p>
<p>Password <input type="password" name="pwd" size="20"> </p>
<p><input type="submit" value="Login" name="login"></p>
</form>
Loginsession.php
<?php
session_start();
include ('dbhandler.php');
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$sql = "SELECT * FROM user WHERE uid='$uid' and pwd='$pwd' ";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
$encrypted_pwd = password_hash($pwd, PASSWORD_DEFAULT);
$hash = password_verify($pwd,$encrypted_pwd);
$count = mysqli_num_rows($result);
if ($count == 1) {
echo("Logging in...");
$_SESSION['id'] = $row['id'];
$_SESSION['uid'] = $row['uid'];
$_SESSION['pwd'] = $row['pwd'];
echo("<h1 style='color:green;'>Successfully Logged In");
}
else {
echo "Your Login Name or Password is invalid";
die();
}
?>
错误重写更合适:
<?php
session_start();
include 'dbhandler.php'; // shouldn't be include './dbhandler.php'; ?
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$sql = "SELECT * FROM user WHERE uid='".mysqli_real_escape_string($conn, $uid)."'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) === 1) {
$row = mysqli_fetch_assoc($result);
if (password_verify($pwd, $row['pwd'])) {
$_SESSION['id'] = $row['id'];
$_SESSION['uid'] = $row['uid'];
$_SESSION['pwd'] = $row['pwd'];
// redirect to "login success" page would be a better solution
echo "<h1 style='color:green;'>Successfully Logged In";
} else {
echo "Invalid password";
}
} else {
echo "Your login name is invalid";
}
$encrypted_pwd传递给查询之前,您需要对密码进行哈希处理。limit 0, 1,因为这将指定您只对第一个相应的行感兴趣(如果存在),因此如果找到用户而不继续搜索将停止查询对于用户。这将优化您的查询。select *替换为select 1来进一步优化查询,这将显着减少RDBMS将具有的数据大小作为回应发送,因为只有一个数字将被返回,而不是整个记录,可能与用户的传记。$_SESSION将输出到浏览器,这将是一个严重的漏洞。