Using password_verify on existing password

2019-02-19 14:19发布

I'm trying to check the password and username of someone before they log in to my website. The passwords are all stored in password_hash($password1, PASSWORD_BCRYPT); I'm not sure as to what I'm doing wrong. At the moment, No matter what I type in, It always says Incorrect.

<?php
require 'privstuff/dbinfo.php';

$username = $_POST["username"];
$password1 = $_POST["password1"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);

if(mysqli_connect_errno()) {
    echo "Connection Failed. Please send an email to owner@othertxt.com regarding this problem.";
    exit();
}

if ($stmt = $mysqli->prepare("SELECT `username`, `password` FROM `accounts` WHERE username = ? AND password = ?")) {


    $result = mysqli_query($mysqli,"SELECT `password` FROM `accounts` WHERE username = $username");

    $stmt->bind_param("ss", $username, password_verify($password1, $result);
    $stmt->execute();
    $stmt->store_result();
    if ($stmt->num_rows) {
        echo("Success");
    }
    else {
        echo("Incorrect");
    }

}
$mysqli->close(); 

?>

This is the register.php

<?php
require 'privstuff/dbinfo.php';

$firstname = $_POST["firstname"];
$password1 = $_POST["password1"];
$email = $_POST["email"];
$ip = $_SERVER['REMOTE_ADDR'];
$username = $_POST["username"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);


if(mysqli_connect_errno()) {
    echo "Connection Failed. Please send an email to owner@othertxt.com regarding this problem.";
    exit();
}

        if ($stmt = $mysqli->prepare("INSERT INTO `accounts`(`firstname`, `username`, `password`, `email`, `ip`) VALUES (?,?,?,?,?)")) {

            $db_pw = password_hash($password1, PASSWORD_BCRYPT);

            $stmt->bind_param("sssss", $firstname, $username, $db_pw, $email, $ip);
            $stmt->execute();
            if ($stmt->affected_rows > 0) {

                echo "Account successfuly created";
            }
            $stmt->close();
    }
    $stmt->close();

$mysqli->close(); 

?>

2条回答
Rolldiameter
2楼-- · 2019-02-19 14:38

I fixed the issue.. I was using password_verify incorrectly.

<?php
require 'privstuff/dbinfo.php';


$username = $_POST["username"];
$password1 = $_POST["password1"];

$mysqli = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_DATABASE);

// Check connection
if(mysqli_connect_errno()) {
    echo "Connection Failed: " . mysqli_connect_errno();
    exit();
}

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT `password` FROM `accounts` WHERE username = ?")) {

    /* Bind parameters: s - string, b - blob, i - int, etc */
    $stmt -> bind_param("s", $username);

    /* Execute it */
    $stmt -> execute();

    /* Bind results */
    $stmt -> bind_result($result);

    /* Fetch the value */
    $stmt -> fetch();

    /* Close statement */
    $stmt -> close();
}


if(password_verify($password1, $result))
{
    session_start();
    $_SESSION['loggedin'] = true;
    $_SESSION['username'] = $username;

   echo '<script type="text/javascript"> window.open("textbomber.php","_self");</script>';
}else{
    echo '<script type="text/javascript"> alert("Incorrect Username/Password"); window.open("login.html","_self");</script>'; 
}

$mysqli->close(); 
?>
查看更多
老娘就宠你
3楼-- · 2019-02-19 14:44

This problem should be solved differently. Only make a single query and get the password-hash by the given username. Then the check should be done in your code, not inside a second query:

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

This function will return true or false, depending on whether the password matched the stored password-hash. You cannot compare the password-hashes directly in the SQL query, because of the random salt added to each password.

查看更多
登录 后发表回答