有条件的PHP md5
[英]PHP md5 in conditional
问题描述
I have a simple script that i am trying to do a simple md5 user/password om. 
我有一个简单的脚本,我正在尝试做一个简单的md5用户/密码om。 the problem i am having is that regardless of what i put in the user/pass fields it matches the conditionals and allows the include to load 我遇到的问题是,无论我在用户/通过字段中输入什么内容,它都与条件匹配,并允许包含加载
<?php
if(md5($_POST['user']) === 'md5user' && md5($_POST['pass']) === 'md5pass'):
include("secure.php");
else: ?>
<body>
<div class="container" style="width: 20%;">
<div class="row-fluid well" style="background: #333; margin-top: 25%;">
<p class="lead">Inventory Update Login</p>
<form class="form" method="POST" action="secure.php">
<label>User Name</label><input class="input-block-level" type="text" name="user"></input><br/>
<label>Password</label><input class="input-block-level" type="password" name="pass"></input><br/>
<input class="btn btn-primary" type="submit" name="submit" value="Go"></input>
</form>
<div class="alert alert-error">
<h4>Warning!</h4>
Best check yo self, you're not supposed to be here by accident. If you are here to do something naughty, keep in mind we are a company owned by people with guns!
</div>
</div>
</div>
</body>
secure.php: secure.php:
<?php
$secretkey = "12345";
print_r($_POST);
?>
<html>
<head>
<link rel="stylesheet" href="https://dev.zinkcalls.com/media/jui/css/bootstrap.min.css" type="text/css" />
<style>
body {color: #fff;}
.well, .brand, .navbar-inner, .popover, .btn, .tooltip, input, select, textarea, pre, .progress, .modal, .add-on, .alert, .table-bordered, .nav>.active>a, .dropdown-menu, .dropdown-menu>li>a:hover, .tooltip-inner, .badge, .label, .img-polaroid {
background-image: none !important;
border-collapse: collapse !important;
box-shadow: none !important;
-moz-box-shadow: none !important;
-webkit-box-shadow: none !important;
border: none;
text-shadow: none !important;
}
</style>
</head>
<body>
<div class="container" style="width: 20%;">
<div class="row-fluid well" style="background: #333; margin-top: 25%;">
<?php if((!isset($_POST['key']) or ($_POST['key'] != $secretkey)) and !isset($_POST['update'])): ?>
<div class="alert alert-error">
<h4>Whoaa!</h4>You need the secret key bro.
</div>
<form class="form" method="POST" action="secure.php">
<label>Secret Key</label><input class="input-block-level" type="text" name="key" /><br/>
<input class="btn btn-primary" type="submit" name="submit" value="Enter Secret Key" />
</form>
<?php elseif(($_POST['key'] = $secretkey) and !isset($_POST['update'])): ?>
<div class="alert alert-error">
<h4>Careful!</h4>
You may destroy everything in one click of the button. Proceed?
</div>
<form class="form" method="POST" action="secure.php">
<input class="btn btn-primary" type="submit" name="update" value="Yes" />
<input class="btn" type="reset" name="abort" value="No" />
</form>
<?php else:?>
<div class="alert alert-success">
<?php include("inventory_query.php"); ?>
<h4>Done!</h4>
Now get the hell outta here.
</div>
<?php endif; ?>
<hr />
<form class="form" method="POST" action="inventory.php">
<input class="btn btn-primary" type="submit" name="logout" value="Logout" />
</form>
</div>
</div>
</body>
</html>
2 个解决方案
解决方案1
4 已采纳 2014-07-21 19:49:51
Your form is submitted to secure.php and since that file doesn't contain this check (I assume) everything in it is just executed/displayed. 您的表单已提交到secure.php并且由于该文件不包含此检查(我认为),因此其中的所有内容都仅被执行/显示。 Remove the action="secure.php" from the form -tag to POST to self. 从-tag form删除action="secure.php" ,以发布到自己。
PS. PS。 learn about sessions if you want a more persistent login. 如果您想要更持久的登录,请了解会话 。
解决方案2
0 2014-07-21 19:55:44
Ok, firstly, md5 should not be used with passwords for security reasons. 好的,首先,出于安全原因,不应将md5与密码一起使用。 Please read into the topic, as I will not go into much detail. 请仔细阅读本主题,因为我将不做过多详细介绍。
That being said, here is the issue you are experiencing. 话虽如此,这就是您遇到的问题。
md5 is going to return an md5 hash of the supplied string. md5将返回所提供字符串的md5哈希。 For example: 例如:
echo md5('md5pass'); // 65ed8a5eec59a1a6f75ec845294aead8
That will not change. 那不会改变。 It is a new string and can not be compared to it's raw counterpart, in this case 'md5pass'. 它是一个新字符串,不能与原始字符串进行比较,在本例中为“ md5pass”。 What you can do, would be to compare the hash of the user supplied value to an expected value. 您可以做的是将用户提供的值的哈希值与期望值进行比较。
In this case, md5($_POST['pass']) === md5('md5pass') , would only evaluate if $_POST['pass'] is 'md5pass'. 在这种情况下, md5($_POST['pass']) === md5('md5pass')仅在$_POST['pass']为'md5pass'时评估。
Again, please look into hashing your passwords . 同样,请查看对您的密码进行哈希处理 。
Edit: 编辑:
@Peter van der Wal is correct as well. @Peter van der Wal也是正确的。 You are never going to execute the check you want until you correct the form action. 在更正表单操作之前,您永远不会执行想要的检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.