stackoom
  简体   繁体   中英

I am Unable to access my admin panel with my password and email. This is PHP and SQL related

 原文  2014-10-05 20:26:36       php/ mysql/ sql

Question

It says The specified email address or password was incorrect. I used this code to insert my password in database 

UPDATE author SET password = MD5('pass') WHERE id = 1

I am using PHP 5.4.3 . Everything is fine but why it is not working? Please help

This is my code: 

 <?php

  function userIsLoggedIn()
{
if (isset($_POST['action']) and $_POST['action'] == 'login')
{
if (!isset($_POST['email']) or $_POST['email'] == '' or
  !isset($_POST['password']) or $_POST['password'] == '')
{
  $GLOBALS['loginError'] = 'Please fill in both fields';
  return FALSE;
}

$password = md5($_POST['password'] . 'ijdb');

if (databaseContainsAuthor($_POST['email'], $password))
{
  session_start();
  $_SESSION['loggedIn'] = TRUE;
  $_SESSION['email'] = $_POST['email'];
  $_SESSION['password'] = $password;
  return TRUE;
}
else
{
  session_start();
  unset($_SESSION['loggedIn']);
  unset($_SESSION['email']);
  unset($_SESSION['password']);
  $GLOBALS['loginError'] =
      'The specified email address or password was incorrect.';
  return FALSE;
  }
}

   if (isset($_POST['action']) and $_POST['action'] == 'logout')
  {
   session_start();
   unset($_SESSION['loggedIn']);
   unset($_SESSION['email']);
   unset($_SESSION['password']);
   header('Location: ' . $_POST['goto']);
   exit();
   }

session_start();
if (isset($_SESSION['loggedIn']))
{
return databaseContainsAuthor($_SESSION['email'], $_SESSION['password']);
}
}

function databaseContainsAuthor($email, $password)
{
include 'db.inc.php';

try
{
$sql = 'SELECT COUNT(*) FROM author
    WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author.';
include 'error.html.php';
exit();
}

$row = $s->fetch();

if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}

function userHasRole($role)
{
 include 'db.inc.php';

 try
 {
  $sql = "SELECT COUNT(*) FROM author
    INNER JOIN authorrole ON author.id = authorid
    INNER JOIN role ON roleid = role.id
    WHERE email = :email AND role.id = :roleId";
  $s = $pdo->prepare($sql);
  $s->bindValue(':email', $_SESSION['email']);
  $s->bindValue(':roleId', $role);
  $s->execute();
 }
catch (PDOException $e)
{
$error = 'Error searching for author roles.';
include 'error.html.php';
exit();
}

$row = $s->fetch();

if ($row[0] > 0)
{
 return TRUE;
}
else
{
 return FALSE;
 }
  }

1 answers

solution1
 1 ACCPTED  2014-10-05 21:31:55

To make the existing code work:

The main issue with your password checking code as you have it above is a mismatch between the MD5 hashes as stored in the database and as passed in PHP code to check for password verification.

In your table, you have stored the bare password MD5-hashed, with no salt string: 

UPDATE author SET password = MD5('pass') WHERE id = 1

But when validating the input password in PHP code, you are appending a salt string 'ijdb' : 

// This appends a salt 'idjb' to the input password before hashing
$password = md5($_POST['password'] . 'ijdb');

To correct this in its existing state, you would need to add the same salt into the database to rehash the password. Doing this alone requires no modification to the existing PHP code (where $the_password is the admin password you're storing and testing): 

UPDATE author SET password = MD5(CONCAT($the_password, 'ijdb'))

Improve hashing rather than stick with MD5:

As was mentioned in the comments above, MD5 has for several years been considered inadequate and insecure for password hashing, and a 4 character salt is far too short to be very effective. Starting with PHP 5.5, and with a special compatibility library developed for 5.3+, PHP supports bcrypt for vastly improved password hashing.

Please review How do I use bcrypt for password hashing in PHP for excellent answers on how to begin using password_hash() and password_verify()

Additionally, intrepid and skilled members of PHP community have assembled PHP The Right Way , which has a section on password hashing . In general, that website is excellent and I recommend reviewing it as you progress in learning PHP.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why I am getting access to the admin panel without sending username and password by using php cURL Admin panel on my domain says wrong user & password . databsse, phpmyadmin related problem? I am Entering Correct Email id and Password in my Login.php page, But Shows Error After disable all the magento extension I am unable to access the site /Admin panel connection failed: SQLSTATE[HY000][1045] Access denied for 'username'@'localhost'(user password:YES) I am trying to connect php and my sql with PDO My admin panel and upload PHP form not submitting entries to email. I'm missing something I am Login my Backend page he is getting error Username and password does not match, But my email id and password are correct in MySQL Server Unable to access the admin section of my Wordpress site I'm trying to create and html page as a body for an email. How do I pass it into my setBody() using yiiMail?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM