我可以用md5加密我的密码,只需将其包裹起来 -
$Password = md5($_POST['password']);
当用户注册时,加密的密码会成功存储在数据库中。但是,当我想使用纯文本密码登录时,它也决定不这样做。我该如何解决这个问题?
<?php
if(isset($_POST['btnlogin'])) {
$Email = $_POST['email'];
$Password = $_POST['password'];
$Email = mysqli_real_escape_string($connection, $Email);
$Password = mysqli_real_escape_string($connection, $Password);
$query ="SELECT * FROM customers WHERE Email = '{$Email}' AND Password = '{$Password}'";
$select_customer_query = mysqli_query($connection, $query);
if (!$select_customer_query)
die("QUERY FAILED". mysqli_error($connection));
}
while($row = mysqli_fetch_array($select_customer_query)) {
$Email_db = $row['Email'];
$Password_db = $row['Password'];
$Firstname_db = $row['First_Name'];
$Lastname_db = $row['Last_Name'];
$string ="logged in as";
$logoutlink = '/ <a href="includes/back/logout.php">Logout</a>';
}
if ($Email_db == $Email || $Password_db == $Password ) {
header("Location: ../../index.php");
$_SESSION['FirstName'] = $Firstname_db;
$_SESSION['LastName'] = $Lastname_db;
$_SESSION['string'] = $string;
$_SESSION['logoutlink'] = $logoutlink;
}
?>
答案 0 :(得分:2)
在比较之前忘记了md5()密码,您需要比较md5()版本:
$Password = md5($_POST['password']);
目前,您正在比较$Password_db == $Password
$Password = $_POST['password']; //Not md5() hashed
$Password_db = $row['Password']; //md5() hashed
只是提示,您应该使用md5(),因为它不安全。
答案 1 :(得分:2)
为了保证安全,您需要的工作流程看起来像这样,而不是您正在做的事情:
password_verify($password, $storedHash),请继续。不要将您的密码检查外包给SELECT查询。不要存储明文密码。不要使用MD5进行密码保护。不要打电话给MD5加密。
推荐阅读:
password_hash()和password_verify())答案 2 :(得分:0)
在这一行:
$Password = $_POST['password'];
需要更改为:
$Password = md5($_POST['password']);
因为你需要比较加密passowrds。