我有一个PHP登录表单,它使用MD5哈希来确保密码安全(我知道MD5很糟糕,我稍后会更改它;它现在只是用于开发目的(。当我在密码比较上使用==
时,它不会让我登录。
md5ing是否返回了一个字符串或其他什么,可能是因为在我的数据库中,我只有单词password的字符串,就好像它是MD5’ed("5f4dcc3b5aa765d61d83"(一样?这是我登录的开始阶段,我将添加准备语句以及所有这些,在我更好地研究它们并使其发挥作用之后。
另外,我得到的域是运行PHP 5.3.28版本,所以password_verify()
不适用于这个开发站点。
索引页面(登录(
<?php
session_start();
if (isset($_POST['username'])) {
// Include the databas connection script
include_once("includes/connect.inc.php");
// Set the posted data from the form into local variables
$usname = $_POST['username'];
$paswd = $_POST['password'];
$usname = mysqli_real_escape_string($connect, $usname);
$sql = "SELECT * FROM dealerEmployees WHERE firstName = '$usname' LIMIT 1";
$query = mysqli_query($connect, $sql);
$row = mysqli_fetch_row($query);
$uid = $row[0];
$dbUsname = $row[1];
$firstName = $row[1];
$lastName = $row[2];
$dbPassword = $row[3];
$permission = $row[4];
$address = $row[5];
$email = $row[6];
$phone = $row[7];
$profilePhoto = $row[8];
$bannerPhoto = $row[9];
// Check if the username and the password they entered was correct
if ($usname == $dbUsname) {
if($paswd == $dbPassword){
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
//$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
}
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
}
?>
<form id="form" action="index.php" method="post" enctype="multipart/form-data">
<input type="text" name="username" placeholder="Please Enter Your First Name"/> <br />
<input type="password" name="password" placeholder="Please Enter Your Password"/> <br />
<button class="button" type="submit">Log In</button>
</form>
首先,这是一个非常糟糕的想法:
$paswd = strip_tags($_POST['password']);
如果我小心地生成强密码,那么我的密码很有可能是类似c5<dZIuJYWUP3>y
的密码。你刚刚把我的密码变成了非常破解的c5y
。
使用MD5也是一个非常糟糕的主意。使用password_hash
和password_verify
可以利用PHP对行业标准bcrypt算法的内置处理没有理由练习编写糟糕的代码
md5ing是否返回字符串或其他内容?
是的,它将返回一个由0-9和a-f字符组成的32个字符的字符串。例如,password
的MD5散列是5f4dcc3b5aa765d61d8327deb882cf99
。
但当我在密码比较上使用==时,它不会让我登录。
然后,用户输入的密码的MD5哈希与您存储在数据库中的MD5散列不匹配。
为了便于调试,可以考虑手动编辑数据库行以使用哈希5f4dcc3b5aa765d61d8327deb882cf99
,并尝试使用密码password
登录。如果这样做有效,那么您要么没有在数据库中存储MD5哈希,要么在数据库中保存了错误的MD5哈希——可能是因为您的strip_tags
内容。
如果没有,那么您就有了更基本的东西——通过在SELECT *
查询中使用mysqli_fetch_assoc
而不是mysqli_fetch_row
,可能会使调试变得更容易。
我在您的登录脚本中看到了很多不安全的地方。你需要使用事先准备好的语句。或者任何有线索的人都可以注入你,删除你的数据库或以管理员身份登录。您还应该使用sha512进行哈希,这几乎是不可能解密的。
但对于你的问题:
=就是分配一些东西。
==是检查它们是否是相同的基本值。
===是检查它们是否是相同的值和相同的类型。
您在if语句中将$paswd分配给$dbPassword,而不是检查它们是否匹配。更正if:
// Check if the username and the password they entered was correct
if ($usname === $dbUsname && $paswd === $dbPassword) {
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
这是一个非常安全的登录脚本。这只是其中的一部分,但如果你读了它,它真的会让你明白你需要做什么。没有冒犯,但你的剧本不好。
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_'-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
if ($usname == $dbUsname && $paswd = $dbPassword) {
为了执行这句话,您要做的是设置变量$paswd
值$dbPassword
。
比较应该或多或少是这样的:
if (($usname == $dbUsname) && ($paswd == $dbPassword)) {