我有一个非常简单的登录脚本,可以按照您的预期进行操作,并在电子邮件和密码组合之间检查数据库中的匹配项。虽然我想知道是否有一种方法可以编辑此脚本,以便管理员可以使用这样的用户电子邮件:
user@hotmail.com
主密码或其他内容:
master123
要访问系统上的任何帐户?这是我目前的剧本:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}
?>
我尝试过添加:
if($_POST['password'] != 'master123'){
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
} else if($_POST['password'] == 'master123'){
哪个不太合适?有什么想法吗?
答案 0 :(得分:2)
在用户表中创建master_passowrd列而不是像这样的查询。
select * from user where `email` = '$email' AND (`password` = '$password' or `master_passowrd` = '$password')
答案 1 :(得分:2)
我这样做非常简单,不需要主密码。
管理员用户运行一组不同的cookie和会话,允许我以管理员身份登录,从管理员方面我可以选择我想要登录的用户,并动态创建他们的cookie和会话。这是有益的,因为:
您始终知道是否是登录的实际管理员用户和/或所做的更改,因为您有2套Cookie等。
我可以轻松检查多个用户,而无需退出管理员,当我想更改用户时,我只需替换用户端的cookie /会话信息。
它还增加了额外的安全层,因为用户不知道管理员cookie的名称(希望如此)
如果您不想这样做,只需通过调用数据库并获取电子邮件并传递和创建会话来创建用户会话,而不需要使用masterpassword。
我通常将哈希密码加倍
sha1(md5($ password))或
md5(sha1($ password))或
的MD5(MD5($密码))
不确定这是否对您有帮助。
编辑:如果您想使用其用户名登录,请在管理员方面创建表单,例如:
<form action="login.php" method="post" id="user_login_admin">
<input type="text" name="user_email" id="user_email" placeholder="Enter User Email">
<input type="submit" name="user_temp_login" id="user_temp_login" value="Admin User Login">
</form>
然后您的新登录脚本将是:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}elseif($_POST['user_temp_login']){
$email_address = $conn->real_escape_string($_POST['user_email']);
$sql = "SELECT password from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
// no email address
}else{
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
?>
您实际上甚至不需要选择密码,因为哈希不包含密码。但如果有人在您登录时登录其帐户,您可能会从会话中启动,因为哈希值会发生变化。
脚本仍然可以优化(也不是100%安全),你应该真正使用PDO或Mysqli。这将停止SQL注入,即使你已经使用了real_escape_string,它仍然可以进行SQL注入。