无法使用php中的真实密码登录
[英]Can't login with real password in php
问题描述
I've a registration form as well as login form. 
我有一个注册表格和登录表格。 I've used md5 encryption in my registration form and it's working fine. 我已经在注册表格中使用了md5加密,并且工作正常。 But when I'm trying to login with real password like (123) it's not logging me in. On the other hand, when I copy paste that md5 encryption in password field, it's then logging me in. Please help me about this! 但是,当我尝试使用(123)之类的真实密码登录时,它并没有登录。另一方面,当我在md字段中复制粘贴md5加密时,它也正在登录。请帮助我! Thank you! 谢谢!
Here is my coding: 这是我的编码:
<?php
if (isset($_POST['submit'])) {
$user_name = $_POST['username'];
$user_email = $_POST['email'];
$user_pass = $_POST['password'];
$query = "SELECT * FROM users where Email = '" . $_POST["email"] . "'";
$result = $obj->run_query($query);
if ($count = mysqli_num_rows($result) == 0) {
$query = "INSERT INTO users (Name,Email,Pass) VALUES ('$user_name','$user_email', md5('$user_pass'))";
$result = $obj->run_query($query);
echo "<script>alert('You have successfully Registered!')</script>";
echo "<script>window.open('welcome.php','_self')</script>";
} else {
echo "<script>alert('This user email $user_email is already exist!')</script>";
}
}
// login script
if (isset($_POST['login'])) {
$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['pass'];
$query = "SELECT * FROM users WHERE Email = '$email' AND Pass = '$password'";
$result = $obj->run_query($query);
if ($count = mysqli_num_rows($result) > 0) {
$_SESSION['email'] = $email;
$_SESSION['name'] = $name;
echo "<script>window.open('welcome.php','_self')</script>";
}
else
{
echo "<script>alert('Your email or password is incorrect!')</script>";
}
}
?>
1 个解决方案
解决方案1
3 已采纳 2016-02-29 18:47:01
As stated: you're comparing plain text from the POST array $password = $_POST['pass']; 如前所述:您正在比较POST数组中的纯文本$password = $_POST['pass']; to the MD5 in your table. 到表中的MD5。
That should read as $password = md5($_POST['pass']); 应该读为$password = md5($_POST['pass']);
I also stated that you shouldn't go live with this, "ever" . 我还说过, “永远”都不要接受这个。 If it is a live site, I suggest you put it on hold until you use a safe hashing function that is of "this century". 如果它是实时站点,建议您暂停使用,直到使用安全的“本世纪”哈希函数为止。
MD5 is 30+ years old and is no longer considered safe to use now to hash/store passwords with. MD5已有30多年的历史,现在不再被认为可以安全地用于哈希/存储密码。
Consult the following: 请参阅以下内容:
- Is MD5 considered insecure? 是否认为MD5不安全?
- https://en.wikipedia.org/wiki/MD5 https://zh.wikipedia.org/wiki/MD5
Passwords 密码
Use one of the following: 使用以下之一:
- CRYPT_BLOWFISH CRYPT_BLOWFISH
-
crypt() -
bcrypt() -
scrypt() - On OPENWALL 在OPENWALL上
- PBKDF2 PBKDF2
- PBKDF2 on PHP.net PHP.net上的PBKDF2
- PHP 5.5's
password_hash()function.PHP 5.5的password_hash()函数。 - Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/ 兼容性包(如果PHP <5.5) https://github.com/ircmaxell/password_compat/
Other links: 其他连结:
Important sidenote about column length: 有关列长的重要旁注:
If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). 如果确实要决定使用password_hash()或crypt,则必须注意,如果当前密码列的长度小于60,则需要将其更改为该长度(或更大)。 The manual suggests a length of 255. 手册建议长度为255。
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. 您将需要更改列的长度并以新的哈希值重新开始,以使其生效。 Otherwise, MySQL will fail silently. 否则,MySQL将静默失败。
Your present code is also open to SQL injection . 您当前的代码也可以进行SQL注入 。 Use mysqli with prepared statements , or PDO with prepared statements . 将mysqli与预处理语句一起使用,或将PDO与预处理语句一起使用 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.