我有一个PHP登录表单,它使用MD5哈希来实现我的密码安全性(我知道MD5很糟糕,我将在稍后更改它;它现在仅用于开发目的)。当我在密码上使用==
比较时,它不会让我登录。
md5ing是否返回一个字符串或其他东西可能是因为在我的数据库中我只有密码这个字的字符串,好像它是MD5' ed(" 5f4dcc3b5aa765d61d83")?这是我登录的开始阶段我将在我更好地研究它们之后添加准备语句以及所有这些并使其正常工作。
我给出的域名也是运行PHP版本5.3.28,因此password_verify()
无法为此开发站点工作。
索引页面(登录)
<?php
session_start();
if (isset($_POST['username'])) {
// Include the databas connection script
include_once("includes/connect.inc.php");
// Set the posted data from the form into local variables
$usname = $_POST['username'];
$paswd = $_POST['password'];
$usname = mysqli_real_escape_string($connect, $usname);
$sql = "SELECT * FROM dealerEmployees WHERE firstName = '$usname' LIMIT 1";
$query = mysqli_query($connect, $sql);
$row = mysqli_fetch_row($query);
$uid = $row[0];
$dbUsname = $row[1];
$firstName = $row[1];
$lastName = $row[2];
$dbPassword = $row[3];
$permission = $row[4];
$address = $row[5];
$email = $row[6];
$phone = $row[7];
$profilePhoto = $row[8];
$bannerPhoto = $row[9];
// Check if the username and the password they entered was correct
if ($usname == $dbUsname) {
if($paswd == $dbPassword){
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
//$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
}
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
}
?>
<form id="form" action="index.php" method="post" enctype="multipart/form-data">
<input type="text" name="username" placeholder="Please Enter Your First Name"/> <br />
<input type="password" name="password" placeholder="Please Enter Your Password"/> <br />
<button class="button" type="submit">Log In</button>
</form>
答案 0 :(得分:1)
首先,这是一个非常糟糕的主意:
$paswd = strip_tags($_POST['password']);
如果我小心生成强密码,我的密码很可能类似于c5<dZIuJYWUP3>y
。您刚刚将我的密码变成了非常易碎的c5y
。
使用MD5也是一个非常糟糕的主意。使用password_hash
和password_verify
可以利用PHP针对行业标准bcrypt算法的内置处理。 没有理由练习编写错误的代码。
md5ing是否会返回字符串或其他内容?
是的,它将返回由0-9和a-f字符组成的32个字符的字符串。例如,password
的MD5哈希值为5f4dcc3b5aa765d61d8327deb882cf99
。
但是当我在密码上使用==时,它不会让我登录。
然后,用户输入的密码的MD5哈希值与您存储在数据库中的MD5哈希值不匹配。
为便于调试,请考虑手动编辑数据库行以使用哈希5f4dcc3b5aa765d61d8327deb882cf99
,并尝试使用密码password
登录。如果这样做,您要么没有在数据库中存储MD5哈希,要么在数据库中存储错误的 MD5哈希 - 可能是因为您的strip_tags
内容。
如果没有,那么您可以使用mysqli_fetch_assoc
mysqli_fetch_row
SELECT *
var tails = 0;
var heads = 0;
var clicks = 0;
function clicked()
{
clicks += 1;
document.getElementById("seq").innerHTML = clicks;
}
function toss() {
var rows = 0;
document.getElementById("results").innerHTML = "";
while (rows < 1) {
var arr = new Array();
for (var i = 0; i < 1; i++)
{
var val = Math.floor( Math.random() * 2 );
if (val === 1) {
arr[i] = imageHeads("https://upload.wikimedia.org/wikipedia/commons/thumb/d/d7/2009NativeAmericanRev.jpg/150px-2009NativeAmericanRev.jpg");
heads = heads + 1;
checkHeads();
} else {
arr[i] = imageTails("https://upload.wikimedia.org/wikipedia/commons/thumb/7/79/2010NativeAmerican_Rev.jpg/150px-2010NativeAmerican_Rev.jpg");
tails = tails + 1;
checkTails();
}
}
document.getElementById("results").appendChild(arr[0]);
delete arr;
rows++;
}
clicked();
}
function checkHeads()
{
document.getElementById("headsDisplay").innerHTML = heads;
}
function checkTails()
{
document.getElementById("tailsDisplay").innerHTML = tails;
}
function imageHeads(src) {
var img = document.createElement("img");
img.src = src;
return img;
}
function imageTails(src) {
var img = document.createElement("img");
img.src = src;
return img;
}
来更轻松地进行调试。
答案 1 :(得分:0)
我在登录脚本中看到了很多不安全因素。您需要使用预准备语句。或者有线索的任何人都可以注入并删除您的数据库或以管理员身份登录。您还应该使用sha512进行哈希处理,几乎不可能解密。
但是你的问题是:
=是要分配一些东西。
==检查它们是否是相同的基本值。
===检查它们是否是相同的值和相同的类型。
您在if语句中将$ paswd分配给$ dbPassword,而不是检查它们是否匹配。 更正了if:
// Check if the username and the password they entered was correct
if ($usname === $dbUsname && $paswd === $dbPassword) {
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
这是一个非常安全的登录脚本。它只是它的一部分,但是如果你读它,它应该真的让你对你需要做的事情有所了解。没有冒犯,但你的剧本不好。
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
答案 2 :(得分:0)
23
49 --
要执行此句,您正在做的是设置变量if ($usname == $dbUsname && $paswd = $dbPassword) {
值$paswd
。
比较应该或多或少是这样的:
$dbPassword