通过 MYSQL 验证 PHP 密码的问题答案

【问题标题】：Trouble with validating PHP Password via MYSQL通过 MYSQL 验证 PHP 密码的问题
【发布时间】：2014-11-21 21:32:39
【问题描述】：

我正在开展一个项目，我遇到了一个我认为很简单的解决方案。我只是没有看到它。

您可以查看 www.thriftstoresa.com 上的实时站点，问题出在登录页面 (http://www.thriftstoresa.com/Login.php)

有效的用户名是“none”，密码是“password”。

我遇到的问题是我总是返回“密码不正确，请重试。”

我们将不胜感激。您可能会说，我是 PHP 新手。谢谢

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Acme Online</title>

<script src="formenhance.js"></script>

<style type="text/css">
<!--
p.MsoNormal {
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Cambria;
}
-->
</style>
<link href="styles/main.css" rel="stylesheet" type="text/css">

</head>

<body> 
<?php   // Connect to Database   
mysql_connect(LEFT OUT OF THE CODE ON PURPOSE) or die(mysql_error());   
mysql_select_db( 'thriftstoresa.com') or die(mysql_error());   

//Checks if there is a login cookie
 if(isset($_COOKIE['ID_my_site']))
 //if there is, it logs you in and directs to the catalog page
 { 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
    $check = mysql_query("SELECT * FROM acme WHERE Username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))  
    {
    if ($pass != $info['password']) 
        {
                    }
    else
        {
        header("Location: catalog.php");
        }
    }
 }

 //if the login form is submitted 
 if (isset($_POST['submit'])) { // if form has been submitted
 // makes sure they filled it in
    if(!$_POST['username'] | !$_POST['pass']) {
        die('You did not fill in a required field.');
    }

 // checks it against the database
    if (!get_magic_quotes_gpc()) {
        $_POST['email'] = addslashes($_POST['email']);
    }
    $check = mysql_query("SELECT * FROM acme WHERE Username = '".$_POST['username']."'")or      die(mysql_error());

 //Gives error if user doesn't exist
 $check2 = mysql_num_rows($check);
 if ($check2 == 0) {
        die('That user does not exist in our database. <a href=contact.php>Click Here to Register</a>');
            }
 while($info = mysql_fetch_array( $check ))     
 {

 $_POST['pass'] = stripslashes($_POST['pass']);
    $info['password'] = stripslashes($info['password']);
    $_POST['pass'] = md5($_POST['pass']);

 //gives error if the password is wrong
    if ($_POST['pass'] != $info['password']) {
        die('Incorrect password, please try again.');
    }
 else 
 { 

 // if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour);   

//then redirect them to the members area 
header("Location: contact.php"); 
 } 
} 
} 
else 
{
 // if they are not logged in   
 ?>   


<div id="wrapper">
  <section id="leftcolumn">
    <nav id="navigation"><li><a href="#">Login</a></li>
                        <li><a href="catalog.php">Catalog</a></li>
                        <li><a href="contact.php">Contact Us</a></li>
    </nav>
  </section>
  <section id="main">
    <div align="center"><img src="images/ACMELogo.png" width="225" height="70" alt=""/></div>
    <article id="catalogofitems">
      <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span     style="font-family:Arial;">Please Log In</span></p>
      <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;">&nbsp;</p>
      <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span     style="font-family:Arial; ">____________________________________</span></p>
      <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times;     ">&nbsp;</span></p>

      <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">

        <p><strong>Member Login</strong></p>
        <p>
          <label for="textfield">Username:</label>  
          <input name="username" type="text" size="25" maxlength="22">
        </p>
        <p>
          <label for="password">Password:</label>
      <input name="pass" type="password" size="25" maxlength="22">

        </p>
        <p>
          <input name="submit" type="submit" id="Login"  value="Login">
      </form>   <?php   }     ?>
        </p>
        <p><strong><a href="contact.php">Create an Account</a></strong></p>
      </form>
      <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p>
      <form id="form1" name="form1" method="post">
        <div align="center"></div>
      </form>
      <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p>
      <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p>
      <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">ACME Corp</span></p>
      <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">Trademark of the ACME Company and Distribution</span></p>
      <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">1920-2013, a part of  Road Runner Conglomerate</span></p>
      <p class="MsoNormal" align="center" style="text-align:center;"></p>
    </article>
  </section>
      <section id="rightcolumn"><img src="images/Wiley_ACME_LOGO.jpg" width="315" height="234" alt=""/>        </section>
</div>
</body>
</html>

【问题讨论】：

您在$_POST['username'] | !$_POST['pass']) 中缺少一个|，它应该读作$_POST['username'] || !$_POST['pass']) - 从那个开始。
您永远不应该告诉未经身份验证的网站访问者是用户名还是密码不正确。此外，在您获取结果集之前，mysql_num_rows() 被认为是不可靠的。另外，acme 表中password 列的数据类型是什么，当用户更改密码时这些值是如何设置的？另外，请阅读php.net/manual/en/function.password-hash.php 并考虑停止使用md5() 进行密码散列。这些天破解是微不足道的。
谢谢 Fred -ii- 我错过了。还有 Ollie Jones，数据类型是 Varchar
警告：这看起来是terrifyingly insecure，看在你的份上，我希望这不是在公共互联网上。您需要确保任何和所有用户参数都是properly escaped，否则您将面临应用程序受损的严重风险。请不要编写您自己的身份验证层。而是使用a development framework，例如Laravel，它带有authentication system 内置。
这是非常不安全的。您应该使用 SESSION 而不是 cookie 来跟踪用户是否登录（因为 SESSION 驻留在服务器上，而 cookie 可以在客户端进行操作）。并且您应该在重定向之前设置用户登录到SESSION，并在每个页面中检查该会话变量。

标签： php html mysql validation

【解决方案1】：

您应该考虑使用类似 https://github.com/auraphp/Aura.Auth 的东西。正如 tadman 在评论中已经提到的那样，您显示的代码正在引发更多问题。

【讨论】：

【解决方案2】：

所以我会指出一些我认为可能对你有帮助的事情。首先，如果您刚刚学习php，那么忘记mysql并学习mysqli。因为它将不再存在于较新的 php 版本中。话虽如此，让我们来看看你得到了什么。

//cookie only when they have entered in a correct login and password
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
//needs to have another `|`
if(!$_POST['username'] || !$_POST['pass']) {
//here your checking md5($_POST['password']) against $info['password']
if ($_POST['pass'] != $info['password']) { //is info password md5() hashed?

这是一个建议，这可能会为您的代码节省一些时间

$sql="SELECT * FROM users WHERE email=\"".$email."\" AND md5(password)=\"".md5($password)."\"";
    $query=mysql_query($sql);
    if(mysql_num_rows($query)==0) 
    {
        echo "Incorrect Login";
    }
    else 
    {
        $row = mysql_fetch_array($query);
        //set your cookies here
        $username = $_COOKIE['ID_my_site']; 
        $pass = $_COOKIE['Key_my_site'];
        $_SESSION['user_id-'.$_SERVER['SERVER_NAME']]=mysql_result($query,0);
        //set a session of logged in by your server name and mysql_result and i would use an identifying ID number for every user.
        echo "Successfully Logged In";
    }
//to check if some one is logged in
if(!empty($_SESSION['user_id-'.$_SERVER['SERVER_NAME']])) redirect("index.php?action=alreadyloggedin");
//session variable can be w/e you want

我也不会使用 md5 而是使用 sha1

【讨论】：