登录不适用于非哈希密码,仅哈希密码

时间:2019-02-13 17:09:08

标签: php

我在网站上的登录名仅使用散列密码无法使用常规密码,我该如何解决

    <?
include '../../engine/config.php';
//Ïðîâåðÿåì àâòîðèçàöèþ,åñëè âñå õîðîøî,ïóñêàåì
if(empty($_COOKIE["pass"]) || $_COOKIE["pass"]=="")
{
    header("Location: login.php");
}
else
{
    $per = explode(":", $_COOKIE["pass"]);
    $pass_md5 = $per[0];
    $login = $per[1];
    $search = mysql_query("SELECT * From ".$account['table']." WHERE ".$account['name']."='$login'");
    $user = mysql_fetch_array($search);
    if($pass_md5 != md5(md5($user["".$account['pass'].""])))
    {
        setcookie("pass", "", 0, "/");
        header("Location: login.php");
    }
}
//?>

1 个答案:

答案 0 :(得分:0)

您的代码有很多问题,可能会影响您(安全方面):

  • MD5非常不安全,即使运行10个嵌套的md5()调用也不能保证安全性。

您可以按以下方式重写代码:

include '../../engine/config.php';

if (empty($_COOKIE['pass']) || $_COOKIE['pass'] == '') {
    header("Location: login.php");
} else {
    $per = explode(":", $_COOKIE['pass'])
    $password = $per[0];
    $login = $per[1];

    $search = mysql_query("SELECT * FROM " . $account['table'] . " WHERE " . $account['name'] . " = '$login' LIMIT 1"); // Included an option LIMIT 1 to end the query and speed it up

    $user = mysql_fetch_array($search);
    if (!password_verify($password, $user[$account['pass']])) {
        setcookie("pass", "", 0, "/");
        header("Location: login.php");
    }
}

// You don't really need the closing bracket, unless you are going to write HTML code
相关问题
最新问题