PHP x == x但是如果语句说x!= x
[英]PHP x==x but if statement says x!=x
问题描述
I have a checklogin.php: 
我有一个checklogin.php:
<?php
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="database1"; // Database name
$tbl_name="users"; // Table name
$lastLogDate=date("l, m/d/y, h:i:sa");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT password FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$realpassword=mysql_result($result, 0);
define("ENCRYPTION_KEY", "!@#$%^&*");
function decrypt($encrypted_string, $encryption_key) {
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
return $decrypted_string;
}
$realpassword=decrypt($realpassword, ENCRYPTION_KEY);
if ($mypassword == $realpassword) {
session_register("myusername");
session_register("mypassword");
session_register("userid");
session_register("finalemail");
$sqldate="UPDATE userdata SET lastLog = '$lastLogDate' WHERE username = '$myusername'";
$resultdate=mysql_query($sqldate);
header("location:/home");
}
else {
echo "Wrong Username or Password<br>";
}
?>
When someone logs in with login.php, and the password they entered is the same as the password in the database after the decryption, it still says "wrong username or password". 当有人使用login.php登录时,他们输入的密码与解密后数据库中的密码相同,但仍然显示“用户名或密码错误”。 I added an echo to see if the decryption was working, but it returned correctly. 我添加了一个echo来查看解密是否正常,但是它正确返回。 I made a new account and tried to log in with that, and it worked. 我创建了一个新帐户,并尝试使用该帐户登录,并且它有效。 This only doesn't work with accounts before I added encryption, and I just encrypted the passwords myself. 在我添加加密之前,这仅适用于帐户,我只是自己加密密码。 Maybe that's the problem? 也许那就是问题?
2 个解决方案
解决方案1
3 已采纳 2015-05-11 02:53:41
Your problem is two-fold. 你的问题是双重的。
First, mcrypt pads your data with trailing null bytes before encoding (if you don't apply padding yourself, eg PKCS7); 首先, mcrypt在编码之前使用尾随空字节填充数据(如果您不自己应用填充,例如PKCS7); after decoding you need to strip those null bytes: 解码后你需要去除那些空字节:
$realpassword = rtrim($realpassword, "\0");
Second, you shouldn't use encryption for passwords; 其次,你不应该使用加密密码; instead, use the password hashing API ; 相反,使用密码哈希API ; see this answer for an example. 看一下这个答案的例子。
解决方案2
0 2015-05-11 03:00:15
maybe the old password affected by those transform: 也许是受这些转换影响的旧密码:
$mypassword = stripslashes($mypassword);
$mypassword = mysql_real_escape_string($mypassword);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.