[英]I am Unable to access my admin panel with my password and email. This is PHP and SQL related
It says The specified email address or password was incorrect. 提示指定的电子邮件地址或密码不正确。 I used this code to insert my password in database
我使用此代码将密码插入数据库
UPDATE author SET password = MD5('pass') WHERE id = 1
I am using PHP 5.4.3 . 我正在使用PHP 5.4.3。 Everything is fine but why it is not working?
一切都很好,但是为什么不起作用呢? Please help
请帮忙
This is my code: 这是我的代码:
<?php
function userIsLoggedIn()
{
if (isset($_POST['action']) and $_POST['action'] == 'login')
{
if (!isset($_POST['email']) or $_POST['email'] == '' or
!isset($_POST['password']) or $_POST['password'] == '')
{
$GLOBALS['loginError'] = 'Please fill in both fields';
return FALSE;
}
$password = md5($_POST['password'] . 'ijdb');
if (databaseContainsAuthor($_POST['email'], $password))
{
session_start();
$_SESSION['loggedIn'] = TRUE;
$_SESSION['email'] = $_POST['email'];
$_SESSION['password'] = $password;
return TRUE;
}
else
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
$GLOBALS['loginError'] =
'The specified email address or password was incorrect.';
return FALSE;
}
}
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
header('Location: ' . $_POST['goto']);
exit();
}
session_start();
if (isset($_SESSION['loggedIn']))
{
return databaseContainsAuthor($_SESSION['email'], $_SESSION['password']);
}
}
function databaseContainsAuthor($email, $password)
{
include 'db.inc.php';
try
{
$sql = 'SELECT COUNT(*) FROM author
WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
function userHasRole($role)
{
include 'db.inc.php';
try
{
$sql = "SELECT COUNT(*) FROM author
INNER JOIN authorrole ON author.id = authorid
INNER JOIN role ON roleid = role.id
WHERE email = :email AND role.id = :roleId";
$s = $pdo->prepare($sql);
$s->bindValue(':email', $_SESSION['email']);
$s->bindValue(':roleId', $role);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author roles.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
The main issue with your password checking code as you have it above is a mismatch between the MD5 hashes as stored in the database and as passed in PHP code to check for password verification. 如上所示,密码检查代码的主要问题是数据库中存储的MD5哈希与PHP代码中传递的用于检查密码验证的MD5哈希之间不匹配。
In your table, you have stored the bare password MD5-hashed, with no salt string: 在表中,您存储了裸密码MD5哈希,没有盐字符串:
UPDATE author SET password = MD5('pass') WHERE id = 1
But when validating the input password in PHP code, you are appending a salt string 'ijdb'
: 但是,当在PHP代码中验证输入密码时,您将附加一个盐字符串
'ijdb'
:
// This appends a salt 'idjb' to the input password before hashing
$password = md5($_POST['password'] . 'ijdb');
To correct this in its existing state, you would need to add the same salt into the database to rehash the password. 要在现有状态下更正此错误,您需要向数据库中添加相同的盐值以重新哈希密码。 Doing this alone requires no modification to the existing PHP code (where
$the_password
is the admin password you're storing and testing): 单独执行此操作无需修改现有的PHP代码(其中
$the_password
是您要存储和测试的管理员密码):
UPDATE author SET password = MD5(CONCAT($the_password, 'ijdb'))
As was mentioned in the comments above, MD5 has for several years been considered inadequate and insecure for password hashing, and a 4 character salt is far too short to be very effective. 正如上面的评论中提到的,MD5多年来一直被认为不足且不安全,无法进行密码散列,并且4个字符的盐太短了以至于无法有效发挥作用。 Starting with PHP 5.5, and with a special compatibility library developed for 5.3+, PHP supports bcrypt for vastly improved password hashing.
从PHP 5.5开始,并为5.3+开发了特殊的兼容性库 ,PHP支持bcrypt,可大大改善密码哈希。
Please review How do I use bcrypt for password hashing in PHP for excellent answers on how to begin using password_hash()
and password_verify()
请查看如何在PHP中使用bcrypt进行密码哈希,以获取有关如何开始使用
password_hash()
和password_verify()
出色答案
Additionally, intrepid and skilled members of PHP community have assembled PHP The Right Way , which has a section on password hashing . 此外,PHP社区的勇敢而又熟练的成员组成了PHP The Right Way ,其中包含有关密码哈希的部分 。 In general, that website is excellent and I recommend reviewing it as you progress in learning PHP.
通常,该网站非常好,建议您在学习PHP的过程中对其进行回顾。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.