PHP - 使用MD5和MySQL验证密码

时间:2017-02-23 12:44:24

标签: php mysql

我有一个注册页面,它会记录密码并将其存储在MySQL中。我在登录时遇到问题,PHP无法识别用户名和密码。我已经搜索了答案,并试图实现许多例子,但没有一个有效。以下是代码:

?php
session_start();
if(isset($_POST['insert'])){
    // username and password sent from form

    $hostname = "localhost";
    $username = "root";
    $password = "Passw0rk1";
    $databaseName = "change_management";

     $connect = mysqli_connect($hostname, $username, $password, $databaseName);

     $user = $_POST['user'];
     $passcode = $_POST['passcode'];


     $sql = "SELECT * FROM admin WHERE username = '$user' and passcode ='".md5($passcode)."'";
     $result = mysqli_query($connect,$sql);
     $row = mysqli_fetch_array($result,MYSQLI_ASSOC);

     $count = mysqli_num_rows($result);

     // If result match $myusername and $mypassword, table row must be 1 row

     if($count ==0) {
        echo "Invalid Credentials";
        }else {

我知道我输入的凭据存在于SQL中,但我在屏幕上回显“无效凭据”。

这是注册页面,如果有问题:

?php 
if(isset($_POST['insert']))
{


    $hostname = "localhost";
    $username = "root";
    $password = "Passw0rk1";
    $databaseName = "change_management";


    $user = $_POST['user'];
    $passcode = $_POST['passcode'];

     $connect = mysqli_connect($hostname, $username, $password, $databaseName);

     $sql = "INSERT INTO `admin` (`username`, `passcode`) VALUES('$user', '".md5('$passcode')."')";

     $result = mysqli_query($connect,$sql);

    if($result)
    {
     echo "Added successfully"; 
    }

    else{
        echo $connect->error;
    }
}
?>

2 个答案:

答案 0 :(得分:5)

考虑使用php' password_hash()password_verify()函数以及prepared statements,您的代码不安全!

也许改变这一行。

 $sql = "SELECT * FROM admin WHERE username = '$user' and passcode ='".md5('passcode')."'";


$sql = "SELECT * FROM admin WHERE username = '" . $user . "' and passcode ='".md5($passcode)."'";

在您的注册页面中

 $sql = "INSERT INTO `admin` (`username`, `passcode`) VALUES('$user', '".md5('$passcode')."')";

应该是

 $sql = "INSERT INTO `admin` (`username`, `passcode`) VALUES('" . $user . "', '".md5($passcode)."')";

但是md5不安全,你应该考虑在评论中使用password_hash。

答案 1 :(得分:2)

以下是使用MySQLi处理密码的正确方法,预处理语句和PHP的密码方法 (您必须使用password_hash()将密码存储在数据库中 - {{3 }}) 

<?php
session_start();
if(isset($_POST['insert'])){
    // username and password sent from form

    $hostname = "localhost";
    $username = "root";
    $password = "Passw0rk1";
    $databaseName = "change_management";

    $connect = mysqli_connect($hostname, $username, $password, $databaseName);

    $user = $_POST['user'];
    $passcode = $_POST['passcode'];

    $stmt = mysqli_prepare($connect, "SELECT * FROM admin WHERE username = ?");
    mysqli_stmt_bind_param($stmt, "s", $user); // bind parameters
    mysqli_stmt_execute($stmt); //execute query
    $result = $stmt->get_result(); // get result
    $row = $result->fetch_assoc(); // put results into array

   if (password_verify($passcode, $row['passcode'])) {
       echo 'Password is valid!';
   } else {
       echo 'Invalid password.';
   }
    mysqli_stmt_close($stmt); // close statement
}

有些事情需要注意:

  • 您只需使用用户名选择行,无需选择密码
  • 您不必计算行数,只应该有一行使用该用户名
  • 您可能想测试查询是否成功(我在此处跳过)
  • 您需要确保正确检查连接和查询成功等数据库错误,我在这里省略了。
  • 请阅读read more herepassword_hash()password_verify()

对于您的插页,您应该这样做:

$user = $_POST['user'];
$passcode = password_hash($_POST['passcode'], PASSWORD_DEFAULT);

$connect = mysqli_connect($hostname, $username, $password, $databaseName);

$stmt = mysqli_prepare($connect,"INSERT INTO `admin` (`username`, `passcode`) VALUES(?, ?)");
mysqli_stmt_bind_param($stmt, "ss", $user, $passcode);

然后你可以执行并检查插入。

相关问题
最新问题