我正在使用mysqli prepare等创建一些登录api函数。
打开购物车正在使用的正确登录功能如下
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))) OR password = '" . $this->db->escape(md5($password)) . "') AND status = '1' AND approved = '1'");
我正在尝试使用以下代码使用mysqli prepare语句。
$result = mysqli_prepare($db, "SELECT customer_id, firstname, lastname, email, telephone, fax, address_id, customer_group_id FROM `oa_customer` WHERE LOWER(email) = ? AND password = ? OR password = ? ;");
$md5pass = md5($password);
$newpass = "SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $password . "'))))"
echo "md5 ";
print_r($md5pass);
echo "new ";
print_r($newpass);
mysqli_stmt_bind_param($result, 'sss', utf8_strtolower($email), $password, $md5pass);
mysqli_stmt_execute($result);
mysqli_stmt_bind_result($result, $customerid, $firstname, $lastname, $email, $telephone, $fax, $address_id, $coustomer_group_id);
while(mysqli_stmt_fetch($result))
{
$id = $customerid;
$name = $firstname;
$surname = $lastname;
$email = $email;
$phone = $telephone;
$fax = $fax;
$addressid = $address_id;
$customergroup = $customer_group_id;
}
mysqli_stmt_close($result);
mysqli_close($db);
我唯一的问题是这一行
$newpass = "SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $password . "'))))"
试图表示第一个原始登录查询的以下代码
(password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "')))))
虽然我正在尝试这个,但我在请求时收到错误500.
第二次尝试如下。
而不是使用
$newpass = "SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))"
我用
替换了它$newpass = sha1($salt . sha1($salt . sha1($password)));
再次出现500错误。 任何想法我应该在我的mysqli准备什么,所以它可以与原始查询相同?
谢谢!
答案 0 :(得分:1)
可能这样的事情应该有效:
$db = new mysqli(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
$result = mysqli_prepare($db, "
SELECT customer_id, firstname, lastname, email, telephone, fax, address_id, customer_group_id
FROM `" . DB_PREFIX . "customer`
WHERE LOWER(email) = ?
AND password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(?)))))
");
mysqli_stmt_bind_param($result, 'ss', $email, $password);
mysqli_stmt_execute($result);
mysqli_stmt_bind_result($result, $customer_id, $firstname, $lastname, $email, $telephone, $fax, $address_id, $customer_group_id);
while(mysqli_stmt_fetch($result)) {
$id = $customer_id;
$name = $firstname;
$surname = $lastname;
$email = $email;
$phone = $telephone;
$fax = $fax;
$addressid = $address_id;
$customergroup = $customer_group_id;
}
mysqli_stmt_close($result);
mysqli_close($db);
原始查询中的md5选项严格用于支持旧数据,Opencart不再使用该选项进行密码存储,因此除非您处理十年以上的表,否则可以取消该部分共。另请注意,您不应该真正需要转义密码,因为第一顺序sql注入已经由预准备语句处理,因此将原始$password参数传递给语句应该是安全的。
同样如评论中所述,已经有类方法来获取您似乎想要的数据。例如,一旦客户登录,您就可以呼叫任何控制器:
$lastname = $this->customer->getLastName();
$fax = $this->customer->getFax();
因此,如果您的所有文章都可以访问类属性,那么知道已有方法可能会有所帮助。