![](/img/trans.png)
[英]Why I am getting access to the admin panel without sending username and password by using php cURL
[英]I am Unable to access my admin panel with my password and email. This is PHP and SQL related
提示指定的电子邮件地址或密码不正确。 我使用此代码将密码插入数据库
UPDATE author SET password = MD5('pass') WHERE id = 1
我正在使用PHP 5.4.3。 一切都很好,但是为什么不起作用呢? 请帮忙
这是我的代码:
<?php
function userIsLoggedIn()
{
if (isset($_POST['action']) and $_POST['action'] == 'login')
{
if (!isset($_POST['email']) or $_POST['email'] == '' or
!isset($_POST['password']) or $_POST['password'] == '')
{
$GLOBALS['loginError'] = 'Please fill in both fields';
return FALSE;
}
$password = md5($_POST['password'] . 'ijdb');
if (databaseContainsAuthor($_POST['email'], $password))
{
session_start();
$_SESSION['loggedIn'] = TRUE;
$_SESSION['email'] = $_POST['email'];
$_SESSION['password'] = $password;
return TRUE;
}
else
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
$GLOBALS['loginError'] =
'The specified email address or password was incorrect.';
return FALSE;
}
}
if (isset($_POST['action']) and $_POST['action'] == 'logout')
{
session_start();
unset($_SESSION['loggedIn']);
unset($_SESSION['email']);
unset($_SESSION['password']);
header('Location: ' . $_POST['goto']);
exit();
}
session_start();
if (isset($_SESSION['loggedIn']))
{
return databaseContainsAuthor($_SESSION['email'], $_SESSION['password']);
}
}
function databaseContainsAuthor($email, $password)
{
include 'db.inc.php';
try
{
$sql = 'SELECT COUNT(*) FROM author
WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
function userHasRole($role)
{
include 'db.inc.php';
try
{
$sql = "SELECT COUNT(*) FROM author
INNER JOIN authorrole ON author.id = authorid
INNER JOIN role ON roleid = role.id
WHERE email = :email AND role.id = :roleId";
$s = $pdo->prepare($sql);
$s->bindValue(':email', $_SESSION['email']);
$s->bindValue(':roleId', $role);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author roles.';
include 'error.html.php';
exit();
}
$row = $s->fetch();
if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
如上所示,密码检查代码的主要问题是数据库中存储的MD5哈希与PHP代码中传递的用于检查密码验证的MD5哈希之间不匹配。
在表中,您存储了裸密码MD5哈希,没有盐字符串:
UPDATE author SET password = MD5('pass') WHERE id = 1
但是,当在PHP代码中验证输入密码时,您将附加一个盐字符串'ijdb'
:
// This appends a salt 'idjb' to the input password before hashing
$password = md5($_POST['password'] . 'ijdb');
要在现有状态下更正此错误,您需要向数据库中添加相同的盐值以重新哈希密码。 单独执行此操作无需修改现有的PHP代码(其中$the_password
是您要存储和测试的管理员密码):
UPDATE author SET password = MD5(CONCAT($the_password, 'ijdb'))
正如上面的评论中提到的,MD5多年来一直被认为不足且不安全,无法进行密码散列,并且4个字符的盐太短了以至于无法有效发挥作用。 从PHP 5.5开始,并为5.3+开发了特殊的兼容性库 ,PHP支持bcrypt,可大大改善密码哈希。
请查看如何在PHP中使用bcrypt进行密码哈希,以获取有关如何开始使用password_hash()
和password_verify()
出色答案
此外,PHP社区的勇敢而又熟练的成员组成了PHP The Right Way ,其中包含有关密码哈希的部分 。 通常,该网站非常好,建议您在学习PHP的过程中对其进行回顾。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.