【发布时间】:2009-12-11 02:13:03
【问题描述】:
我正在尝试使用数据库中的密码验证用户输入的密码。我发现它可以很好地检查用户名(如果用户名不存在,则会显示错误),但是当它尝试使用 mysql 密码验证密码时,它永远不会工作。工作“示例”位于http://scapersclearing.com/fansite/login.php;而这就是PHP(注意base.php包含数据库信息和header.php、navigation.php和footer.php等所有前端)。一旦可行,我计划添加 html 实体并防止 SQL 注入。用户名:Test - 密码:password89 (md5 c1c2434f064da663997b1a2a233bf9f6)
<?php
include("base.php"); //Include MySQL connection
$username = $_POST['username']; //Connect form username with strings
$password = $_POST['password']; //Connect form password with strings
$salt = "xia8u28jd0ajgfa"; //Define the salt string
$salt2 = "oqipoaks42duaiu"; //Define the second salt string
$password = md5($salt.$password.$salt2); //Encrypt the password
$result = mysql_query("SELECT * FROM members WHERE username = '".$username."'"); //Open the members table
while($row = mysql_fetch_array( $result )) { //Convert the members table into an array
if ( $username != $row['username'] ) { //If user entered username doesn't equal the database username
include("header.php"); //Print the message
include("navigation.php");
echo "Invalid username or password!";
include("footer.php");
}
else {
if ( $row['password'] == $password ) { //Validate username and password
setcookie('c_username', $username, time()+6000); //Set the username cookie
setcookie('c_password', $password, time()+6000); //Set the cookie
header("Location:index.php"); //Redirect to home page
} else {
include("header.php"); //Print the message
include("navigation.php");
echo "<div class=\"content\"><p>Invalid username or password!<p></div>";
include("footer.php");
} } }
?>
【问题讨论】:
-
让它回显数据库中的哈希值,以及脚本创建的哈希值是否匹配。
-
使用
SELECT * FROM MEMBERS WHERE username = ? and password = ?- 如果返回一行,则密码正确,否则不正确。您的数据库没有验证密码 - 在您的示例中,逻辑完全是 PHP。 -
另外,当您将用户名直接传递到查询中时,您可能会遇到巨大的 SQL 注入漏洞。请改用 PDO。
-
@benjy:他确实在介绍中声明,一旦他的示例有效,他将在稍后添加...
-
“安全性不是附加功能” - Andrew S. Tanenbaum
标签: php database validation forms