PHP MySql 用户帐户绕过 cookie

Question

是的，我已经对此进行了一段时间的修改，并且除了用户帐户页面之外的所有内容都可以正常工作，我的问题是；任何人都可以发现我在这里犯的错别字或给我一些帮助以使其正常工作吗？

网站似乎绕过了这部分，直接进入了else（如下图）：

<?
                if(isset($_COOKIE['ID_my_site'])){
                    $email = $_COOKIE['ID_my_site']; 
                    $pass = $_COOKIE['Key_my_site'];
                    $con = mysqli_connect(DATABASE STUFF) or die(mysqli_error());
                    $check = mysqli_query($con,"SELECT email, pass2 FROM userAccount WHERE email=$email")or die(mysqli_error()); 

                    while($info = mysqli_fetch_array($check)){ 
                        if ($pass != $info['pass2']){
                            echo "Wrong Password or Email!, Please <a href='login.php'>Login here</a> to see your account or <a href='register.php'>Register here</a>.";
                        }else{
                            $con=mysqli_connect(DATABASE STUFF);
                            $sqlCommand = "(SELECT * FROM userAccount WHERE email=$email)";

                            $query = mysqli_query($con,$sqlCommand) or die("Error: ".mysqli_error($con));
                            $column = mysqli_fetch_array($query);

                            echo "<section class='userName'><h3>".$column['firstName']." ".$column['surname']."</h3></section>";
                            echo "<section class='address'>".$column['addressLine1']."<br />".$column['addressLine2']."<br />".$column['county']."<br />".$column['country']."<br />".$column['postCode']."</section>";
                            echo "<section class='email'><h3>".$column['email']."</h3></section>";
                            echo "<section class='passwordUpdate'><a href='update.php?user_id=".$column['user_id']."'>Change Password</a></section>";
                        } 
                    }

不管怎样，它直接指向的“其他”：

                }else{
                    echo "You cannot see this page, Please <a href='login.php'>Login here</a> to see your account or <a href='register.php'>Register here</a>.";
                }

下面是登录过程，以防万一有人问：

<?

$con = mysqli_connect(DATABASE STUFF) or die(mysqli_error($con)); 

if(isset($_COOKIE['ID_my_site'])){ 
$email = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysqli_query($con,"SELECT email, pass2 FROM userAccount WHERE email='".$_POST['email']."'")or die(mysqli_error($con));

while($info = mysqli_fetch_array($check)){
    if ($pass != $info['pass2']){
    }else{
        header("Location: http://www.littlepenguindesigns.co.uk/pages/CMX/pages/userAccount.php");
    }
}
}

if (isset($_POST['submit'])) {
if(!$_POST['email'] | !$_POST['pass']) {
    die('You did not fill in a required field.');
}

if (!get_magic_quotes_gpc()) {
    $_POST['email'] = addslashes($_POST['email']);
}

if(IsInjected($email)){
    die('Bad email value!');
}

$check = mysqli_query($con,"SELECT * FROM userAccount WHERE email='".$_POST['email']."'")or die(mysqli_error($con));
$check2 = mysqli_num_rows($check);

if ($check2 == 0) {
    die('That user does not exist in our database. <a href="http://www.littlepenguindesigns.co.uk/pages/CMX/pages/registration.php">Register</a>');
}

while($info = mysqli_fetch_array($check)){
    $_POST['pass'] = stripslashes($_POST['pass']);
    $info['pass2'] = stripslashes($info['pass2']);
    $_POST['pass'] = md5($_POST['pass']);

    if($_POST['pass'] != $info['pass2']) {
        die('Incorrect password, please <a href="http://www.littlepenguindesigns.co.uk/pages/CMX/pages/login.php">try again</a>.');
    }else{
        $_POST['email'] = stripslashes($_POST['email']);
        $hour = time() + 3600;
        setcookie(ID_my_site, $_POST['email'], $hour); 
        setcookie(Key_my_site, $_POST['pass'], $hour);   
        header("Location: http://www.littlepenguindesigns.co.uk/pages/CMX/pages/userAccount.php"); 
    }
}
}else{
header("Location: http://www.littlepenguindesigns.co.uk/pages/CMX/pages/login.php");
} 

function IsInjected($str){
$injections = array('(\n+)',
              '(\r+)',
              '(\t+)',
              '(%0A+)',
              '(%0D+)',
              '(%08+)',
              '(%09+)');
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)){
    return true;
}else{
    return false;
}
}

和 PHP 文件中的登录表单：

            <form action="extras/loginProcess.php" method="post" name="login_form">
                Email: <input type="text" name="email" /><br />
                Password: <input type="password" name="pass" id="pass" /><br />
                <input type="submit" name="submit" value="Sign in" />
            </form>

最后是 MyPHPAdmin 中的 TABLE：

CREATE TABLE `userAccount` (
    `user_id` int(11) NOT NULL AUTO_INCREMENT,
    `firstName` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
    `surname` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
    `addressLine1` varchar(30) COLLATE utf8_unicode_ci NOT NULL,
    `addressLine2` varchar(30) COLLATE utf8_unicode_ci NOT NULL,
    `county` varchar(20) COLLATE utf8_unicode_ci NOT NULL,
    `country` varchar(20) COLLATE utf8_unicode_ci DEFAULT NULL,
    `postCode` varchar(10) COLLATE utf8_unicode_ci NOT NULL,
    `email` varchar(50) COLLATE utf8_unicode_ci NOT NULL,
    `email2` varchar(50) COLLATE utf8_unicode_ci NOT NULL,
    `pass` varchar(10) COLLATE utf8_unicode_ci NOT NULL,
    `pass2` varchar(10) COLLATE utf8_unicode_ci NOT NULL,
    PRIMARY KEY (`user_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=5 ;

数据库是正确的，我已经尽了最大的努力来完成这项工作，一直回到我知道它主要是为了安全起见的默认代码。

我已经尝试将 pass2 更改为 pass（甚至将数据库中的 pass 更改为密码并在需要的地方进行配置，但同样发生）。

如果有人可以帮助我，那就太好了，谢谢。

Answer 1

好吧，学习写一些自己的东西总是好的。但你为什么不使用一些现有的平台，比如 wordpress、drupal 等，它们有内置的登录系统？

您的代码极易受到攻击。我可以将任何 SQL 写入我的 cookie，然后您将该变量添加到 SQL 查询（$email 变量）。