我有一个问题,即在数据库中使用密码进行密码登录。 我的当前脚本只是告诉我“密码错误”消息,即使它正确。
-(void)signup:(NSDictionary *)dictParam completionBlock:(BlackRockManagerCompletionBlock)pCompletionBlock{
NSString *strRequestUrl = KSignup;
[Helper showGlobalProgressHUDWithTitle:@"Loading"];
AFHTTPRequestOperationManager *operationManager = [AFHTTPRequestOperationManager manager];
operationManager.responseSerializer = [AFJSONResponseSerializer serializer];
operationManager.requestSerializer = [AFJSONRequestSerializer serializer];
operationManager.responseSerializer.acceptableContentTypes = [operationManager.responseSerializer.acceptableContentTypes setByAddingObject:@"Text/html"];
AFHTTPRequestOperation *operation = [operationManager POST:strRequestUrl parameters:dictParam success:^(AFHTTPRequestOperation *operation, id responseObject) {
[Helper dismissGlobalHUD];
NSDictionary* dictResponse = [NSJSONSerialization
JSONObjectWithData:operation.responseData //1
options:kNilOptions
error:nil];
NSLog(@"%@",dictResponse);
if ([[dictResponse valueForKey:@"status"] intValue] == 1) {
UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
[alt show];
pCompletionBlock(YES);
}
else if([[dictResponse valueForKey:@"status"] intValue] == 2){
UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
[alt show];
pCompletionBlock(NO);
}else{
UIAlertView *alt = [[UIAlertView alloc]initWithTitle:@"Trend" message:[dictResponse valueForKey:@"message"] delegate:nil cancelButtonTitle:@"Cancel" otherButtonTitles:@"Ok", nil];
[alt show];
}
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
[Helper dismissGlobalHUD];
NSLog(@"Failed %@",operation.responseString);
}];
[operation start];
}
答案 0 :(得分:6)
你这样做是错误的。数据库密码已经散列 我希望 ,但是用户输入了纯文本密码,因此您需要对用户输入的内容进行哈希查看与您在数据库中的哈希匹配
$s = $mysqli->query("SELECT * FROM `users` WHERE `email`='{$_POST['email']}'") or die();
$i = $s->fetch_assoc();
if(sha1($_POST['password']) == $i['password']) {
echo "works";
} else {
echo "bad password";
}
<强>然而强>
请不要滚动您自己的密码哈希。 PHP提供
之前的PHP版本password_hash()
和password_verify()
请使用它们,我可能希望有一天使用您的网站 这里有一些good ideas about passwords 如果您使用的是5.5 there is a compatibility pack available here
同时强>
您的脚本面临SQL Injection Attack的风险 看看Little Bobby Tables偶然发生了什么 if you are escaping inputs, its not safe! 使用prepared statement and parameterized statements
答案 1 :(得分:-1)
以下是如何安全地使用mysql验证sha的示例。
<?php
// Basic php MYSQL authentication with crypted password
$username = $_POST['username'];
$password = $_POST['password'];
$salt = "CrazyassLongSALTThatMakesYourUsersPasswordVeryLong123!!312567__asdSdas";
$password = hash('sha256', $salt.$password);
//echo $password;
// Mysql connection
$mysqli = new mysqli("localhost","mysqluser","mysqlpassword","mysqldatabase");
$stmt = $mysqli->prepare('SELECT userid FROM Users WHERE password = ? AND username = ?');
// (ss -> string, string) Always bind parameters and use prepared statement to improve security
$stmt->bind_param("ss", $password, $username);
$stmt->execute();
$stmt->bind_result($userid );
if (!empty($stmt->fetch())) {
// if fetch is not empty we have results and password hash was correct
echo "User was found";
} else
echo "User was not found";
$mysqli->close();
?>