区分大小写的php mysql登录

时间:2013-05-24 02:46:43

标签: php mysql login-script

我有一个简单的身份验证脚本正在运行但我发现对于具有密码admin的用户admin,具有密码ADMIN的用户ADMIN也可以登录。如何使此脚本区分大小写。此外,我知道可以进行的enycriptions,以便密码不存储为文本,只需要弄清楚如何使这种情况下的敏感。

        if($_SERVER['REQUEST_METHOD'] == "POST" &&  mysql_real_escape_string($_POST['username'])!="" && mysql_real_escape_string($_POST['password']) !="") { // receive form sent via POST method

        $username = mysql_real_escape_string($_POST['username']); // prevent sql injection by using  "mysql_real_escape_string()"
        $password = mysql_real_escape_string($_POST['password']);
        $data = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

    if(mysql_num_rows($data) >0) {   // if the query returns a result then create session variables to show user is authenticated
      $_SESSION['logged'] = 1;
      $_SESSION['user'] = $username;
    }
  }

9 个答案:

答案 0 :(得分:2)

您可以使用BINARY type强制区分大小写:

"SELECT * FROM users WHERE BINARY username='$username' AND password='$password'"

应该注意,不推荐使用mysql_函数。您应该切换到mysqli或PDO并使用预准备语句。

答案 1 :(得分:1)

除非有理由不对密码进行散列(我认为虽然首选SHA-256,但仍然接受MD5)。哈希在传递流量时会产生一层安全性,因为解码它们需要强制执行。它还将大写字母A和小写字母a存储为不同的哈希值,以便处理区分大小写问题。

如果没有,则需要在密码字段中使用区分大小写的关联。

答案 2 :(得分:1)

首先,你真的应该哈希密码。大写字母的变化将为您提供不同的哈希值,以便对问题进行排序。

如果要以区分大小写的方式比较用户名,您可能还希望以这种方式存储它们,并且能够为登录'foo'和'Foo'创建不同的用户。这是可能的,但您需要更改数据库表。更具体地说,您需要更改用户名列的列类型以包含character set and collation

ALTER TABLE users MODIFY COLUMN username VARCHAR(64) CHARACTER SET 'latin1' COLLATION 'latin1_general_cs';

答案 3 :(得分:1)

您需要将密码字段的排序规则设置为一个尾随“cs”而不是“ci”的值,如

  

“latin1_swedish_cs”而不是“latin1_swedish_ci”

ci表示不区分大小写,cs表示区分大小写

答案 4 :(得分:0)

使用PHP比较查询返回的用户名和密码,这是区分大小写的。

if(mysql_num_rows($data) >0) {   // if the query returns a result then create session variables to show user is authenticated
  $row = mysql_fetch_assoc($data);
  if ($row['username'] == $_POST['username'] && $row['password'] == $_POST['password']) {
    $_SESSION['logged'] = 1;
    $_SESSION['user'] = $username;
  }
}

答案 5 :(得分:0)

只需将用户名和密码字段的集合更改为您数据库中的latin1_general_cs

答案 6 :(得分:0)

<?php
// user input

$username="abc";
$password="123";

$sql=SELECT username,password FROM tablename WHERE username='".$username."' AND password ='".$password."' limit 1
$result=mysqli_query($coni,$sql);
if(!mysqli_num_rows($result) == 1)
{
    echo "not found";
}
else
{
    while ($row=mysqli_fetch_array($result)) 
    { 
        $getu=$row[0];
        $getp=$row[1];
    }
    if($username===$getu && $password===$getp)
    {
        echo "username".$getu." password".$getp;
        echo "Login success";
    }
    else
    {
        echo "no";
    }
}
?>

答案 7 :(得分:0)

此程序确定未验证存在的用户名或电子邮件。此代码采用JSON格式的服务器响应。能够通过在语句中使用WHERE BINARY来比较区分大小写。

<?php
require "main.php";
$response = array();
$num = 0;

if($_SERVER['REQUEST_METHOD']=='POST'){
if(isset($_POST['username']) and
    isset($_POST['email']) and
        isset($_POST['password'])){

            $username= $_POST["username"];
            $password= $_POST["password"];
            $email= $_POST["email"];


            $mysql_qry = "select * from users where binary username like '$username' and binary email like '$email'";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 ){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Username and Email is already exists!";
                $num = 1;
            }

            $mysql_qry = "select * from users where binary username like '$username'";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 && $num == 0){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Username is already exists!";
                $num = 1;
            }

            $mysql_qry = "select * from users where binary email like '$email';";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 && $num == 0){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Email is already exists!";
                $num = 1;
            }


            if($num == 0){
                $mysql_qry = "insert into users (username, password, email) values ('$username', '$password', '$email')";

                if($conn->query($mysql_qry) === TRUE ){
                    //Registration Successful!
                    $response['error'] = true;
                    $response['message'] = "Registration Successful!";
                }else{
                    //Registration Failed!
                    $response['error'] = true;
                    $response['message'] = "Registration Failed!";
                }
            }   
}else{
    //Require fields are missing!
    echo "missing";
}   
}else{
//Invalid Request!
echo "invalid";
}

echo json_encode($response);
?>

答案 8 :(得分:0)

有了PHP的password_hash()函数,就不会出现区分大小写的问题,因为它可以解决这个问题。

相关问题
最新问题