[英]When entering a login password, password to be checked doesn't ==
我有一個PHP登錄表單,該表單使用MD5哈希來確保密碼安全(我知道MD5不好,以后我將對其進行更改;現在僅用於開發目的)。 當我在比較密碼時使用==
時,它將無法登錄。
md5ing是否返回字符串或其他東西,可能是因為在我的數據庫中,我只是擁有密碼一詞的字符串,就好像它是MD5一樣(“ 5f4dcc3b5aa765d61d83”)? 這是我登錄的開始階段,在我對其進行更好的研究並使其正常工作之后,還將添加prepare語句以及所有其他內容。
同樣,我得到的域正在運行PHP版本5.3.28,因此password_verify()
在此開發站點上將不起作用。
索引頁(登錄)
<?php
session_start();
if (isset($_POST['username'])) {
// Include the databas connection script
include_once("includes/connect.inc.php");
// Set the posted data from the form into local variables
$usname = $_POST['username'];
$paswd = $_POST['password'];
$usname = mysqli_real_escape_string($connect, $usname);
$sql = "SELECT * FROM dealerEmployees WHERE firstName = '$usname' LIMIT 1";
$query = mysqli_query($connect, $sql);
$row = mysqli_fetch_row($query);
$uid = $row[0];
$dbUsname = $row[1];
$firstName = $row[1];
$lastName = $row[2];
$dbPassword = $row[3];
$permission = $row[4];
$address = $row[5];
$email = $row[6];
$phone = $row[7];
$profilePhoto = $row[8];
$bannerPhoto = $row[9];
// Check if the username and the password they entered was correct
if ($usname == $dbUsname) {
if($paswd == $dbPassword){
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
//$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
}
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
}
?>
<form id="form" action="index.php" method="post" enctype="multipart/form-data">
<input type="text" name="username" placeholder="Please Enter Your First Name"/> <br />
<input type="password" name="password" placeholder="Please Enter Your Password"/> <br />
<button class="button" type="submit">Log In</button>
</form>
首先,這是一個非常糟糕的主意:
$paswd = strip_tags($_POST['password']);
如果我小心生成強密碼,很可能我的密碼可能類似於c5<dZIuJYWUP3>y
。 您剛剛將我的密碼變成了非常c5y
破解的c5y
。
使用MD5也是一個非常糟糕的主意。 使用password_hash
和password_verify
可以利用PHP對行業標准bcrypt算法的內置處理。 沒有理由練習編寫不良代碼。
md5ing是否返回字符串或其他內容?
是的,它將返回由0-9和af字符組成的32個字符串。 例如, password
的MD5哈希為5f4dcc3b5aa765d61d8327deb882cf99
。
但是,當我在比較密碼時使用==時,它將無法登錄。
然后,用戶輸入的密碼的MD5哈希與您存儲在數據庫中的MD5哈希不匹配。
為了便於調試,請考慮手動編輯數據庫行以使用哈希5f4dcc3b5aa765d61d8327deb882cf99
,然后嘗試使用密碼password
。 如果這行得通,則說明您不是在數據庫中存儲了MD5哈希,或者在數據庫中存儲了錯誤的 MD5哈希-可能是由於您的strip_tags
。
如果不是這樣,您將需要進行一些更基本的操作-通過在SELECT *
查詢中使用mysqli_fetch_assoc
而不是mysqli_fetch_row
可以使調試更加容易。
我發現您的登錄腳本中存在很多不安全因素。 您需要使用准備好的語句。 或者有任何線索的人都可以注入您並刪除您的數據庫或以管理員身份登錄。 您還應該使用sha512進行哈希處理,幾乎無法解密。
但對您的問題:
=是分配東西。
==用於檢查它們是否具有相同的基本值。
===用於檢查它們是否具有相同的值和相同的類型。
您是在if語句中將$ paswd分配給$ dbPassword,而不是檢查它們是否匹配。 更正了if:
// Check if the username and the password they entered was correct
if ($usname === $dbUsname && $paswd === $dbPassword) {
// Set session
$_SESSION['id'] = $uid;
$_SESSION['userId'] = $uid;
$_SESSION['username'] = $usname;
$_SESSION['firstName'] = $firstName;
$_SESSION['lastName'] = $lastName;
$_SESSION['password'] = $dbPassword;
$_SESSION['permission'] = $permission;
$_SESSION['address'] = $address;
$_SESSION['phone'] = $phone;
$_SESSION['email'] = $email;
$_SESSION['profilePhoto'] = $profilePhoto;
$_SESSION['bannerPhoto'] = $bannerPhoto;
// Now direct to users feed
header("Location: hub.php");
} else {
echo "<h2>Oops that username or password combination was incorrect.
<br /> Please try again.</h2>";
}
這是一個非常安全的登錄腳本。 它只是其中的一部分,但是,如果您閱讀了它,它確實應該讓您對需要做的事情有所了解。 無罪,但您的腳本不好。
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
if ($usname == $dbUsname && $paswd = $dbPassword) {
要執行這句話,您正在做的是設置變量$paswd
值$dbPassword
。
比較應該差不多是這樣的:
if (($usname == $dbUsname) && ($paswd == $dbPassword)) {
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.