【发布时间】:2015-08-06 16:13:49
【问题描述】:
我创建了一个带有表 (UserPass) 的数据库,该表主要存储用户名和密码。
现在在我的表单中,我想要求用户输入他的用户名和密码,在测试时,我意识到我可以输入数据库中的任何用户名和任何密码来登录。
是否可以在 SQL 查询中选择与用户名在同一行的密码?
我尝试了类似的方法:
$username = $_POST['username'];
$sql = "SELECT Password FROM UserPass WHERE Username = $username";
但是下面的mysqli_query 失败了:
$query = mysqli_query($cxn, $sql);
所以这是整个action.php 脚本:
<?php
include "info.php";
include "god.php";
session_start();
if($_POST['god'] == $god)
{
header( "refresh:0;url=../web.html" );
}
else if(empty($_POST['god']))
{
}
else
{
echo "Can't you read: DON'T TRY!!!!!!!";
exit();
}
$cxn = mysqli_connect($host, $user, $password, $dbname) or die("Go");
//check username
$userI = $_POST["username"];
$userSql = "SELECT Username FROM UserPass ";
$result = mysqli_query($cxn, $userSql) or die("Query failed!");
while($line = mysqli_fetch_assoc($result))
{
extract($line);
foreach ($line as $key => $val)
{
if($_POST['username'] == $val)
{
//check for password
$username = $_POST['username'];
$pass = $_POST['password'];
$sql = "SELECT Password FROM UserPass";
$passres = mysqli_query($cxn, $sql) or die("Request cannot be handled now.");
while ($passline = mysqli_fetch_assoc($passres))
{
extract($passline);
foreach ($passline as $k => $v)
{
if($_POST['password'] == $v)
{
header( "refresh:0;url=../web.html");
}
else
{
session_destroy();
}
}
}
}
}
}
/*
if($userI == $line['Username'])
{
//check for password
$pass = $_POST['password'];
$sql = "SELECT * FROM UserPass";
$res = mysqli_query($cxn, $sql) or die("Pass query failed");
$passline = mysqli_fetch_assoc($res);
if($pass == $passline['Password'])
{
header( "refresh:4;url=../web.html");
session_start();
echo "Login succesful, session started, session id: ";
}
}
*/
/*
if($_POST['username'] == $val)
{
//check for password
$b = $_POST['username'];
$pass = $_POST['password'];
$sql = "SELECT * FROM UserPass";
$passres = mysqli_query($cxn, $sql);
$passline = mysqli_fetch_row($passres);
foreach ($passline as $k => $v )
{
if($_POST['password'] == $v)
{
header( "refresh:0;url=../web.html");
session_start();
}
}
}
*/
/*
else
{
print("Destroying Laptop...US Government...Destroying Laptop...\n");
exit();
}
*/
?>
【问题讨论】:
-
为什么会有人打扰登录?我会直接去
web.html... -
你的逻辑是错误的。当您检查用户是否存在于数据库中时,您的查询应该类似于
select username from UserPass where username=$username and password=$password。使用它,您将不会遇到您遇到的问题 -
明文存储密码是不安全的,但在某些情况下可能没问题。但是请在人们注册时强调,您不会安全地存储他们的密码,并且他们不应该重复使用重要的密码。