PHP password_verify() 不验证密码

Question

我的 PHP 应用程序/数据库设置需要对密码进行哈希处理和去哈希处理。虽然 password_hash() 似乎为数据库提供了正确的输出，但使用 password_verify() 将存储的哈希与明文密码进行比较提供了 FALSE 结果。

基本输入表单（signup_form）或（login_form）：

<form action="sign_verify.php" method="post">
    <input id="email_add" class="field" type="text" placeholder="Email" name="email"><br>
    <input id="password" class="field" type="text" placeholder="Password" name="pword"><br>
    <input type="submit" value="Sign Up">
</form>

散列并添加到数据库（signup_verify）：

$temail=trim(filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING));
$tpword=trim(filter_input(INPUT_POST, 'pword', FILTER_SANITIZE_STRING));
if (!filter_var($temail, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email address";
}
else {
    $link = array("Database"=>dbName, "UID"=>userName, "PWD"=>userPassword, "MultipleActiveResultSets"=>true);      
    sqlsrv_configure('WarningsReturnAsErrors', 0);
    $link = sqlsrv_connect(serverName, $link);
    if($link === false){
        echo "Connection Failed.<br>";
        die( print_r( sqlsrv_errors(), true));
    }
    else{
        $hpword=password_hash($tpword, PASSWORD_DEFAULT);
        $insertSql = "INSERT INTO Card_score_storage.dbo.customer_cards (Email,Password) VALUES (?,?)";
        $params = array(&$temail,&$hpword);
        $prepareStatement = sqlsrv_prepare($link, $insertSql, $params);
        if ($prepareStatement === false) {
            echo "Looks like something went wrong.";
            echo "<br>";
           die(FormatErrors( sqlsrv_errors() )); 
        }
        else {
            if (sqlsrv_execute($prepareStatement) === false) {
            echo "Looks like something went wrong.";
            echo "<br>";
            die( print_r( sqlsrv_errors(), true));
        }
        else{
            echo "You have successfully signed up with the email: $temail <br>";
            echo "<a href='index.php'>Return to our main page</a>";
        }

用户登录后的Password_verify()验证（login_verify）：

require_once 'config.php';
error_reporting(E_ALL);

$email=trim(filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING));
$pword=trim(filter_input(INPUT_POST, 'pword', FILTER_SANITIZE_STRING));

//Connect to user database
$link = array("Database"=>dbName, "UID"=>userName, "PWD"=>userPassword, "MultipleActiveResultSets"=>true);      

//Check for connection error
sqlsrv_configure('WarningsReturnAsErrors', 0);

$link = sqlsrv_connect(serverName, $link);
if($link === false){
    echo "Connection Failed.<br>";
    die( print_r( sqlsrv_errors(), true));
}
else{
    sleep(0.2);
    $LoginFetchSql= "SELECT Email,Password FROM Card_score_storage.dbo.customer_cards WHERE Email = '$email'";
    $stmt_l=sqlsrv_query($link,$LoginFetchSql);    
    $getuser = sqlsrv_fetch_array( $stmt_l, SQLSRV_FETCH_ASSOC);

    if ($getuser["Email"] ==NULL) {
        echo '<p style="text-align:center">You did not login successfully.</p>';
        session_destroy();
    }
    else{
        echo $getuser["Password"],"<br>";
        $verify=password_verify($pword,$getuser["Password"]);
        if($verify){
            echo"Good password.";   
        }
        else{
            echo"Bad Password.";
        }
    }

}

存储散列密码的 DB 列是大小为 255 的 NCHAR。用直接 POST 值替换过滤/修剪的输入，如 $_POST["pword"] 提供相同的结果。

Answer 1

我认为您的问题发生在从数据库写入/检索时。我建议在注册时使用 var_dumping 密码，并在检索密码时将其相互比较。

编辑：将nchar 更改为varchar 应该可以修复它。这是因为 NCHAR 可以 存储 unicode 数据（这可能导致验证返回 false）并且具有 固定长度。 VARCHAR 不能存储 unicode 数据并且具有可变长度。

作为参考，请查看此 Stackoverflow 问题以获取更多信息：What is the difference between char, nchar, varchar, and nvarchar in SQL Server?