0

我创建了一个登录+注册站点。注册页面工作正常,也可以登录,除了当我必须输入密码时,我必须输入加密版本,md5 ...我已经在注册页面完成,以便他们的密码被加密。我怎样才能在登录页面让他们不需要写他们的 md5 密码,只是他们的正常密码?

register.php 看起来像:

<?

$reg = @$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; // Password 2
$d = ""; // Sign up Date
$u_check = ""; // Check if username exists
//registration form
$fn = strip_tags(@$_POST['fname']);
$ln = strip_tags(@$_POST['lname']);
$un = strip_tags(@$_POST['username']);
$em = strip_tags(@$_POST['email']);
$em2 = strip_tags(@$_POST['email2']);
$pswd = strip_tags(@$_POST['password']);
$pswd2 = strip_tags(@$_POST['password2']);
$d = date("Y-m-d"); // Year - Month - Day

if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filed in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25   characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less   than 5 characters
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES       ('','$un','$fn','$ln','$em','$pswd','$d','0')");
die("<h2>Welcome to InstaWord!</h2>Login to your account to get started ...");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>
<table class="homepageTable">
   <tr>
       <td width="60%" valign="top">
        <h2>Share your texts!</h2>
        <img src="img/animation.gif" width="930">
       </td>
       <td width="40%" valign="top">
        <h2>Sign up</h2>
       <form action="#" method="post">
       <input type="text" size="25" name="fname" placeholder="First Name" value="<? echo   $fn; ?>">
       <input type="text" size="25" name="lname" placeholder="Last Name" value="<? echo $ln; ?>">
       <input type="text" size="25" name="username" placeholder="Username" value="<?   echo $un; ?>">
       <input type="text" size="25" name="email" placeholder="Email" value="<? echo $em; ?>">
       <input type="text" size="25" name="email2" placeholder="Repeat Email" value="<? echo $em2; ?>">
       <input type="password" size="25" name="password" placeholder="Password">
       <input type="password" size="25" name="password2" placeholder="Repeat Password">  <br />
       <input type="submit" name="reg" value="Sign Up!">
       </form>
       </td>
      </tr>
     </table>
   </body>
 </html>

login.php 看起来像这样:

    <?php

session_start();


//This displays your login form

function index(){


echo "<form action='?act=login' method='post'>" 

."Username: <input type='text' name='username' size='30'><br>"

."Password: <input type='password' name='password' size='30'><br>"

."<input type='submit' value='Login'>"

."</form>"; 


}


//This function will find and checks if your data is correct

function login(){


//Collect your info from login form

$username = $_REQUEST['username'];

$password = $_REQUEST['password'];



//Connecting to database

$connect = mysql_connect("myserver", "username", "password");

if(!$connect){

die(mysql_error());

}


//Selecting database

$select_db = mysql_select_db("database_name", $connect);

if(!$select_db){

die(mysql_error());

}


//Find if entered data is correct


$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

$row = mysql_fetch_array($result);

$id = $row['id'];


$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");

$row2 = mysql_fetch_array($select_user);

$user = $row2['username'];


if($username != $user){

die("Username is wrong!");

}



$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");

$row3 = mysql_fetch_array($pass_check);

$email = $row3['email'];

$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id' AND email='$email'");

$row4 = mysql_fetch_array($select_pass);

$real_password = $row4['password'];


if($password != $real_password){

die("Your password is wrong!");

}




//Now if everything is correct let's finish his/her/its login


session_register("username", $username);

session_register("password", $password);


echo "Welcome, ".$username." please continue on our <a href=index.php>Index</a>";





}


switch($act){


default;

index();

break;


case "login";

login();

break;


}

?>

请帮我解决这个问题...

4

3 回答 3

3

您在登录时没有使用 md5 进行检查....

使用$password = md5($_REQUEST['password']) ; 在你的login function().

这将获取普通密码并使用数据库中的加密版本检查它,然后将成功登录用户。

希望这可以帮助。

于 2012-05-21T05:59:31.870 回答
1

您不应该将 astrip_tags()应用于$_POST['password'],只需将传入值提供给密码散列函数。

为了保护您的用户密码,您需要做md5的比散列密码更好。你需要

  1. 更好的哈希算法:BCrypt hash
  2. 添加随机盐值

好消息是你可以使用一个插件库并使用它:PHPass

require('PasswordHash.php');

$pwdHasher = new PasswordHash(8, FALSE);

// $hash is what you would store in your database
$hash = $pwdHasher->HashPassword( $_POST['password'] );

// $hash would be the $hashed stored in your database for this user
$checked = $pwdHasher->CheckPassword($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}
于 2012-05-21T05:59:50.303 回答
0

当您将详细信息传递给 sql 查询并检查正确的登录详细信息时,使用 md5() 加密输入密码。

$password_encrypt = md5($password);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password_encrypt '");
于 2012-05-21T05:59:14.437 回答