我正在尝试在MySQL中存储加密密码,对于注册部分,它按照预期工作,但是当我尝试登录时,出现了问题。
我无法将 $_POST['password'] 与存储在MySQL中的哈希值进行验证。我不知道我做错了什么。
这是我的 register.php 文件,它可以正常工作:
register.php(有效)
$post_password = mysqli_real_escape_string($_POST['password']);
$password_hash = password_hash($post_password, PASSWORD_BCRYPT);
mysqli_query goes here...
登录页面(login.php)无法正常工作
$con = mysqli_connect("XXX","XXX","XXX","XXX");
$post_username = mysqli_real_escape_string($con,$_POST['username']);
$post_password = mysqli_real_escape_string($con,$_POST['password']);
// Getting the stored Hash Password from MySQL
$getHash = mysqli_fetch_assoc(mysqli_query($con, "SELECT * FROM anvandare WHERE username = '$post_username'"));
$got_Hash = $getHash['password'];
// Checking if what the user typed in matches the Hash stored in MySQL
// **This is where it all goes wrong**
if (password_verify($post_password, $got_Hash)) {
echo "The posted password matches the hashed one";
}
else {
echo "The posted password does not match the hashed one";
}
当我运行以上代码时,只需输入用户名并将密码字段留空,即可收到“正确的密码”消息。
我错过了什么?
mysqli_real_escape_string
用于将字符串转义以便插入到数据库中,但不适用于使字符串安全地通过哈希函数运行。 - Quentin