目标:尝试创建登录信息。注册页面使用此命令根据输入创建用户名和密码:
注册
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="dbname"; // Database name
$tbl_name="Student"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
/* Obliterate bad input */
$secUser = mysql_real_escape_string($_POST['reguser']);
$badpasses = $_POST['regpass'];
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$secPass = hash('sha512', $badpasses.$salt);
$sql= "INSERT INTO Student (uname, upass, fname, lname, email, currGrade) VALUES('$secUser','$secPass','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')";
$result = mysql_query($sql);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
else{
echo "Registered";
}
?>
的login.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="dbname"; // Database name
$tbl_name="Student"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$myusername = $_POST['uname'];
$mypassword = $_POST['upass'];
$mypassword = hash('sha512', $mypassword.$salt);
$sql = "SELECT * FROM $tbl_name WHERE uname = '$myusername' AND upass = '$mypassword')";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("regduser");
session_register("regdpass");
header("location:login_success.php");
}
else {
echo "$mypassword<br />";
echo "Wrong Username or Password";
}
ob_end_flush();
?>
我得到的错误是Wrong User or Pass,但我尝试登录时的密码是:
bffbc4f94f40d0cece6774ed9ec792b03ad5362edf768d190913d033c46ad4af4e2cbe1d42134f58da402efb7d3209b7e9b62ff3e81caf6341262b24dd300e9a
数据库中用户poop和密码poop中的密码是:
4e4d252a08ac4c35c2917b4fc715fef13bac2b686c7ebc8f8256765bd584a89634df3fa455ed73c1fbec84d442f11d5e064749396dcb1c0f1525f82c1b0ea57a
为什么这些密码不同?!有人可以帮忙吗?
答案 0 :(得分:2)
应该
// Define $myusername and $mypassword
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$myusername = $_POST['uname'];
$mypassword = $_POST['upass'];
$mypassword = hash('sha512', $mypassword);
不是
// Define $myusername and $mypassword
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$myusername = $_POST['uname'];
$mypassword = $_POST['upass'];
$mypassword = hash('sha512', $mypassword.$salt);
您在注册时将salt添加到密码哈希中,但在尝试登录时不会添加它。
我还强烈建议您不要直接POST到数据库查询中,而是将mysql_real_escape用于查询中使用的每个POST变量。更好的是使用准备好的陈述。
Doest有帮助吗?
答案 1 :(得分:0)
我没有看到您的登录脚本中使用“salt”的位置。也许尝试以下方法:
$mypassword = hash('sha512', $mypassword . $salt);
答案 2 :(得分:0)
您的$_POST['upass'];变量为空。检查您的表单字段是否实际上被称为upass。
基于这条信息:
>> $salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
'~Z`!@#$%I^&*()_-+Q=}]{[\\|"><'
>> hash('sha512', 'poop'.$salt);
'4e4d252a08ac4c35c2917b4fc715fef13bac2b686c7ebc8f8256765bd584a89634df3fa455ed73c1fbec84d442f11d5e064749396dcb1c0f1525f82c1b0ea57a'
>> hash('sha512', ''.$salt);
'bffbc4f94f40d0cece6774ed9ec792b03ad5362edf768d190913d033c46ad4af4e2cbe1d42134f58da402efb7d3209b7e9b62ff3e81caf6341262b24dd300e9a'