php - 登录系统中的电子邮件/用户名组合不正确
问题描述
我的网站上有一个登录系统,有人可以在其中创建帐户,然后注销然后重新登录。当用户尝试登录不存在的帐户时会显示一条消息。“电子邮件/用户名组合不正确”。我遇到的问题是,即使帐户确实存在,也会显示此消息。
这是 index.php
<!DOCTYPE html>
<?php
session_start();
if(isset($_SESSION['username'])) {
header("Location: home.php");
$_SESSION["success"] = "You are now logged in";
}
?>
<html>
<head>
</head>
<body>
<form action="verify_registration_form.php" method="post">
<br>
<input type="username" id="user_name" name="user_name" placeholder="Username" required>
<br><br><br><br><input type="password" id="user_pass_word" name="user_pass_word" placeholder="Password" required>
<br><br><br><br><input type="email" id="user_email" name="user_email" placeholder="Email" required>
<br><br><br><br><input type="submit" class="submit_registration_form_button" id="submit_registration_form_button" name="submit_registration_form_button" value="Sign Up">
</form>
<form action="verify_login_form.php" method="post">
<input type="username" id="user_email_login" name="user_email_login" placeholder="Email" required>
<input type="password" id="user_pass_word_login" name="user_pass_word_login" placeholder="Password" required>
<input type="submit" class="submit_user_login_form_button" id="submit_user_login_form_button" name="submit_registration_form_button" value="Log In">
</form>
</body>
</html>
这是home.php
<!DOCTYPE html>
<?php
session_start();
if(!isset($_SESSION['username'])) {
header('Location: index.php');
}
?>
<html>
<head>
</head>
<body>
<?php
echo $_SESSION["success"];
?>
<?php if (isset($_SESSION['username'])) : ?>
<p>Welcome <?php echo $_SESSION['username']; ?>
<br><br>
<form action="logout.php" method="post">
<input type="submit" id="logoutbutton" name="logoutbutton" class="logoutbutton" value="Logout">
</form>
<?php endif ?>
</body>
</html>
这是 verify_login_form.php
<!DOCTYPE html>
<?php
session_start();
if($_SERVER['REQUEST_METHOD'] != 'POST') {
header("Location: index.php");
}else{
$connection = mysqli_connect("localhost", "root", "", "websiteusers");
if(!$connection) {
echo "Could not connect to MYSQL database";
}else{
echo "Sucessfully connected to MYSQL database";
$connection = mysqli_connect("localhost", "root", "", "websiteusers");
$useremail = mysqli_real_escape_string($connection,
$_POST["user_email_login"]);
$userpassword = mysqli_real_escape_string($connection,
$_POST["user_pass_word_login"]);
$query = "SELECT * FROM websiteusers WHERE UserEmail='$useremail' AND UserPassWord='$hasheduserpassword'";
$results = mysqli_query($connection, $query);
if(mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header("Location: home.php");
}else{
echo "Email/Username combination is incorrect";
}
}
}
?>
<html>
<head>
</head>
<body>
</body>
</html>
解决方案
您无法直接比较散列密码。你需要password_verify
改用。改变:
$hasheduserpassword = password_hash($userpassword, PASSWORD_DEFAULT);
$query = "SELECT * FROM websiteusers WHERE UserEmail='$useremail' AND UserPassWord='$hasheduserpassword'";
$results = mysqli_query($connection, $query);
if(mysqli_num_rows($results) == 1) {
类似于:
$query = "SELECT * FROM websiteusers WHERE UserEmail='$useremail'";
$results = mysqli_query($connection, $query);
if(mysqli_num_rows($results) == 1 && $row = mysqli_fetch_assoc($results) && password_verify($userpassword, $row['UserPassWord'])) {
这样做的原因password_hash()
是使用随机盐来增强哈希安全性,并且生成的哈希包含此盐。password_verify()
从这个散列中提取盐,并用相同的盐对比较的字符串进行散列,导致(如果两个密码相同)在相同的散列中,而使用password_hash()
第二次会导致使用不同的随机盐,这不会生成相同的哈希,因此比较将失败(感谢@Aurelien 的解释)。
请注意,即使使用mysqli_real_escape_string
不会使您对 SQL 注入完全无懈可击,您也应该使用准备好的语句。
推荐阅读
- gstreamer - GStreamer:VBI数据流解码
- java - 从未发送过 Google Play 游戏服务消息
- javascript - 如何在纯 javascript 或 vanilla js 中绑定双向数据?
- android - 如何更改远程视图中视图的属性?
- r - R:直接从 web url 读取 geotiff 数据(httr::GET 原始内容)
- javascript - XMasonry, XBlock (react-xmasonry) 用作单独的组件:TypeError: this.props.parent is undefined
- vba - VBA,根据指定工作表中的标识符列合并工作表中的表
- getstream-io - GetStream - 订购的聚合馈送时间
- python - 烧瓶部署:没有模块名称烧瓶
- fullcalendar - Fullcalendar : 从今天开始显示两个月