我想创建一个用户引入登录名和密码的网页,然后他将被重定向到另一个网页。
登录名和密码由管理员提供,密码应该经过哈希处理。 我试图使用我在互联网上找到的代码(我做了一些更改),但它对我不起作用(我认为原因是哈希密码)请告诉我哪里有错。
所用代码的链接:http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
(目前我在数据库中插入了一行,包含示例中提到的登录名和密码)
我使用示例中给出的密码测试了我的代码:
登录:login1 密码:6ZaxN2Vzm9NUJT2y 为了能够以该用户身份登录,您需要的代码是:
INSERT INTO enquete Etablissement VALUES(1, 'test_user',login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef');
Login.html页面:
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8 " />
<title>Log In</title>
<script type="text/JavaScript" src="./sha512.js"></script>
<script type="text/JavaScript" src="./forms.js"></script>
</head>
<body>
<?php
if(isset($_GET['error'])) {
echo 'Error Logging In!';
}
?>
<form action="process_login.php" method="post" name="login_form">
Email: <input type="text" name="LoginEtab" />
Password: <input type="text" name="PwdEtab" id="PwdEtab"/>
<input type="button" value="Login" onclick="formhash(this.form, this.form.PwdEtab);" />
</form>
</body>
</html>
Forms.js页面:
function formhash(form, PwdEtab) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(PwdEtab.value);
// Make sure the plaintext password doesn't get sent.
p.value = "";
// Finally submit the form.
form.submit();
}
process_login.php页面:
<?php
include 'db_connect.php';
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['LoginEtab'], $_POST['p'])) {
$LoginEtab = $_POST['LoginEtab'];
$PwdEtab = $_POST['p']; // The hashed password.
if (login($LoginEtab, $PwdEtab, $mysqli) == true)
{
// Login success
header('Location: ./protected_page.html');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
functions.php页面:
<?php
include 'psl-config.php';
function sec_session_start() {
$session_name = 'MyOwnsession'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
ini_set('session.use_only_cookies', 1);
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function login($LoginEtab, $PwdEtab, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT IDEtablissement , LoginEtab, PwdEtab, salt FROM etablissement WHERE LoginEtab = ? LIMIT 1"))
{
$stmt->bind_param('s', $LoginEtab); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($db_IDEtablissement, $db_LoginEtab, $db_PwdEtab, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$PwdEtab = hash('sha512', $PwdEtab . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
echo"text";
// Check if the password in the database matches
// the password the user submitted.
if ($db_PwdEtab == $PwdEtab) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$db_IDEtablissement = preg_replace("/[^0-9]+/", "", $db_IDEtablissement);
$_SESSION['db_IDEtablissement'] = $db_IDEtablissement;
// XSS protection as we might print this value
$db_LoginEtab = preg_replace("/[^a-zA-Z0-9_\-]+/","",$db_LoginEtab);
$_SESSION['db_LoginEtab'] = $db_LoginEtab;
$_SESSION['login_string'] = hash('sha512',$PwdEtab .$user_browser);
// Login successful.
return true;
echo"false2";
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
echo"false1";
}
}
} else {
// No user exists.
return false;
echo"false";
}
}
?>
db_connect.php页面
<?php
include 'psl-config.php'; // Needed because functions.php is not included
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
?>
psl-config.php'页面:
<?php
/**
* These are the database login details
*/
define("HOST", "localhost"); // The host you want to connect to.
define("USER", "root"); // The database username.
define("PASSWORD", ""); // The database password.
define("DATABASE", "enquete"); // The database name.
define("SECURE", FALSE);
?>
更新: 我总是被重定向到索引页面:header('Location:./ index.php?error = 1');
并且appach日志是:
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant HOST already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant USER already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant PASSWORD already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant DATABASE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice: Constant SECURE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 18, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP 4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:18, referer: http://localhost/loginSecurity/login.html
更新 我发现问题在哪里:)我必须添加到我的代码
$PwdEtab = hash('sha512', $PwdEtab );
在登录函数中使用salt哈希之前
答案 0 :(得分:2)
您要将文件psl-config.php包括两次,如果需要,请尝试include_once而不是include
****** EDIT ******
让它成功。
首先,哈希一个新密码:
include_once 'psl-config.php';
$user = 'admin';
$pass = '123';
$token = 'test';
$password = hash('sha512', $pass . $token);
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("UPDATE etablissement SET LoginEtab = '{$user}', PwdEtab = '{$password}', salt = '{$token}' WHERE IDEtablissement = 1");
$stmt->execute();
然后,改变你的形式:
<form action="process_login.php" method="post" name="login_form">
Email: <input type="text" name="LoginEtab" value="admin"/>
<br><br>
Password: <input type="text" name="PwdEtab" id="PwdEtab" value="123"/>
<br><br>
<input type="submit" value="Login"/>
</form>
现在更改process_login.php:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['LoginEtab'])) { //<======CHANGE HERE
$LoginEtab = $_POST['LoginEtab'];
$PwdEtab = $_POST['PwdEtab']; // The hashed password. //<======AND HERE
if (login($LoginEtab, $PwdEtab, $mysqli) == true) {
// Login success
header('Location: ./protected_page.html');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
和voilà。
答案 1 :(得分:1)
更新我发现问题出在哪里:)我必须添加到我的代码
$ PwdEtab = hash(&#39; sha512&#39;,$ PwdEtab);
在登录函数中使用salt哈希之前 最后它适用于我:)