时间戳

首页 > 解决方案 > PHP密码未能加密并在数据库内以明文形式显示

php - PHP密码未能加密并在数据库内以明文形式显示

问题描述

我不知道这是怎么发生的,因为我的登录密码之前工作得很好,现在我发现它在 phpmyadmin 中以明文形式显示密码。我没有碰任何东西,所以我现在很难过。

我不确定错误在哪里,但我已经添加了我的register.php页面并删除了大部分我知道不是问题的代码,所以主要是我为密码代码编写的内容:

<?php

$password = $mysqli->escape_string
            (password_hash($_POST['password'], PASSWORD_BCRYPT));

$password = trim($_POST['password']);
    $password = strip_tags($password);

$password2 = trim($_POST['password2']);
    $password2 = strip_tags($password2);

if (empty($password)){
        $error = true;
        $_SESSION['message'] = "Please enter password.";
        header("location: error.php");
    } else if(strlen($password) < 6) {
        $error = true;
        $_SESSION['message'] = "Password must have atleast 6 characters.";
        header("location: error.php");
    } else if ($password != $password2) {
        $error = true;
        $_SESSION['message'] = "Please check if both password fields match.";
        header("location: error.php");
    } else if ($password == $user_name && $password2 == $user_name) {
        $error = true;
        $_SESSION['message'] = "Please check that your 
                                password is not the same as username.";
        header("location: error.php");
    }

if( !$error ) {

        $result = $mysqli->query("SELECT * FROM users WHERE email='$email'") 
                                or die($mysqli->error());

        if ( $result->num_rows > 0 ) {

            $_SESSION['message'] = 'User with this email already exists!';
            header("location: error.php");

        }
        else {

            $sql = "INSERT INTO users (first_name, user_name, 
                                      email, password, hash) ".
                                      "VALUES ('$first_name','$user_name',
                                      '$email','$password', '$hash')";

这是我的login.php页面,这是我得到实际错误的地方,说我的密码不正确:

<?php

$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'");

if ( $result->num_rows == 0 ){
    $_SESSION['message'] = "User with that email doesn't exist!";
    header("location: error.php");
}
else {
    $user = $result->fetch_assoc();

    if ( password_verify($_POST['password'], $user['password']) ) {

        $_SESSION['email'] = $user['email'];
        $_SESSION['first_name'] = $user['first_name'];
        $_SESSION['user_name'] = $user['user_name'];
        $_SESSION['active'] = $user['active'];

        $_SESSION['logged_in'] = true;

        header("location: profile.php");
    }
    else {
        $_SESSION['message'] = "You have entered wrong password, try again!";
        header("location: error.php");
    }
}

标签: phppasswordspassword-encryptionlogin-script

解决方案

您正在重置$password变量

<?php
//Change this to $password_encrypted
$password = $mysqli->escape_string
            (password_hash($_POST['password'], PASSWORD_BCRYPT));

$password = trim($_POST['password']);//This is overriding the above $password
    $password = strip_tags($password);

尝试将第一个更改$password为类似$password_encrypted然后在 SQL 语句中使用它

$sql = "INSERT INTO users (first_name, user_name, 
                                  email, password, hash) ".
                                  "VALUES ('$first_name','$user_name',
                                  '$email','$password_encrypted', '$hash')";

另外我没有注意到$hash您给出的代码中设置的变量,我认为这是在其他地方设置的?

推荐阅读