[英]Simple login checking password
What am I doing wrong here: 我在这做错了什么:
<?php
if (isset($_POST['submitted'])) {
$errors = array();
require_once ('mysql_connect.php');
session_start();
$username = $_POST["username"]; // This is the inputted username from the form in Login.html
$password = $_POST["password"]; // This is the inputted password from the form in Login.html
if (empty($errors)) {
$query="SELECT username FROM users WHERE username='$username' AND password='SHA($password)'";
$result = mysql_query($query);
// Mysql_num_row is counting table row
if (mysql_num_rows($result) == 1) {
$_SESSION["username"] = $username; // Creates a cookie saving the username
$_SESSION["loggedIn"] = true; // Creates a cookie saying the user is logged in
// Show thank you message
echo '<h3 style="color:green;">Thank You!</h3>
<span style="color:green;">You have been logged in.</span>';
} else {
echo '<font color="red">You could not be logged in, please make sure your username and password is correct.</font>';
foreach ($errors as $msg) {
echo " - <font color=\"red\">$msg</font><br />\n";
}
}
} else {
echo '<font color="red"><h3>Error!</h3>
The following error(s) occured:<br /></font>';
foreach ($errors as $msg) {
echo " - <font color=\"red\">$msg</font><br />\n";
}
}
}
?>
I get a: 我得到一个:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /login.php on line 19
Also is the way I SHA the password correct? 我的密码是否正确?
The problem is that your MySQL query is causing an error, which means that your $result
doesn't actually contain a result resource. 问题是您的MySQL查询导致错误,这意味着您的
$result
实际上不包含结果资源。
You need to remove the ''
from around SHA($password)
in your query, and instead put them around the password value, like so: 您需要在查询中删除来自
SHA($password)
的''
,而是将它们放在密码值周围,如下所示:
$query="SELECT username FROM users WHERE username='$username' AND password=SHA('$password')";
Also is the way I SHA the password correct?
我的密码是否正确?
That depends on how the passwords were hashed when they were inserted into the database. 这取决于密码在插入数据库时如何进行哈希处理。 MySQL's
SHA()
is the same as its SHA-1()
: MySQL的
SHA()
与SHA-1()
:
Calculates an SHA-1 160-bit checksum for the string, as described in RFC 3174
计算字符串的SHA-1 160位校验和,如RFC 3174中所述
Which is also the same as PHP's sha1()
; 这也和PHP的
sha1()
; so, for example, if the passwords in the database are SHA-1 hashes that were created using PHP's sha1()
, it should be fine. 所以,例如,如果数据库中的密码是使用PHP的
sha1()
创建的SHA-1哈希,那么应该没问题。
Side Notes 附注
You should use PHP's crypt()
or hash()
for hashing passwords, rather than SHA-1 . 您应该使用PHP的
crypt()
或hash()
来获取散列密码, 而不是SHA-1 。 For example usage, refer to the PHP documentation . 有关示例用法, 请参阅PHP文档 。
You should be cleaning/escaping all user-provided data before using any of it in a database query. 在数据库查询中使用任何数据之前,您应该清除/转义所有用户提供的数据。 This is to stop SQL injection attacks .
这是为了阻止SQL注入攻击 。 Better yet, use prepared statements and parameterized queries.
更好的是,使用预准备语句和参数化查询。 Refer to this answer for more information.
有关更多信息,请参阅此答案 。
Don't use '' by SHA function 不要使用''by SHA功能
$query="SELECT username FROM users WHERE username='$username' AND password='SHA($password)'";
And offcourse don't remember escape your data. 并且当然不记得逃避您的数据。
Why did you put a @ in @mysql_query($query); 你为什么在@mysql_query($ query)中放了一个@; ?
? If you have a MYSQL error you should handle it correctly and not ignore it (I assume you have an error there).
如果你有一个MYSQL错误,你应该正确处理它而不是忽略它(我假设你有错误)。 It would help you understand where your bug is coming from.
它可以帮助您了解您的bug来自何处。
Also, you can do the SHA in PHP (which depends on your architecture could be better or worse for your project). 此外,您可以在PHP中执行SHA(这取决于您的架构可能对您的项目更好或更差)。
http://php.net/manual/en/function.sha1.php http://php.net/manual/en/function.sha1.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.