0

这可能不安全,但忽略它。我做了一个简单的主页,包括登录、注册和注销。但是我在我的数据库中存储密码时遇到了问题。它看起来有点散列/盐渍。当我自己不对其进行哈希处理时,我不太了解。事实上,我根本没有加盐的经验,所以请不要提供专业的解决方案。

这是注册后在数据库中的样子: 数据库具有以下属性:id、用户名、密码、电子邮件:

9、测试,*94BDCEBE19083CE,test@mail.com

但应该是这样的:

9、测试,测试,test@mail.com

我的registration.php看起来像这样:

<html>
    <head>
        <link rel="stylesheet" type="text/css" href="styles.css">
    </head>
    <body>
        <?php
        // loggin in and selects the database
        include ("dbConfig.php");

        //Input vaildation and the dbase code
        if ( $_GET["op"] == "reg" )
         {
         $bInputFlag = false;
         foreach ( $_POST as $field )
            {
            if ($field == "")
           {
           $bInputFlag = false;
           }
            else
           {
           $bInputFlag = true;
           }
            }
         // If we had problems with the input, exit with error
         if ($bInputFlag == false)
            {
            die( "Problem with your registration info. "
           ."Please go back and try again.");
            }

         // Fields are clear, add user to database
         //  Setup query
         $q = "INSERT INTO dbUsers (username, password , email ) "
            ."VALUES ('".$_POST["username"]."', "
            ."PASSWORD('".$_POST["password"]."'), "
            ."'".$_POST["email"]."')";
         //  Run query
         $r = mysql_query($q);

         // Make sure query inserted user successfully
         if ( !mysql_insert_id() )
            {
            die("Error: User not added to database.");
            }
         else
            {
            // Redirect to thank you page.
            Header("Location: register.php?op=thanks");
            }
         } // end if


        //The thank you page
        elseif ( $_GET["op"] == "thanks" )
         {
         echo "<form action='members.php' method='POST'>";
         echo "<div class='panel'> <span><font color='lime'>Thanks for registering!</font></span>";
         echo "<label><input type='submit' class ='button' value='Back'></label></div></form>";
         }

        //The web form for input ability
        else
         {
         echo  "
         <div class='box'>
            <h1>Registration</h1>
            <form action=\"?op=reg\" method=\"POST\">
                <label> 
                    <span>Username</span>
                    <input autocomplete='off' class='input_text' name='username'>   
                </label>
                <label>
                    <span>Password</span>
                    <input autocomplete='off' class='input_text' type='password' name='password'>
                </label>
                <label> 
                    <span>Email</span>
                    <input autocomplete='off' class='input_text' name='email'>  
                </label>
                <label> 
                    <input type='submit' class='button' value='Registrer'>  
                </label>
            </form>
         </div>";
         }
        ?>
    </body>
</html>
4

1 回答 1

4

只需PASSWORD()从 SQL 语句中删除该函数。

所以你必须像这样修改你的代码:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".$_POST["username"]."', "
        ."'".$_POST["password"]."', "
        ."'".$_POST["email"]."')";

请注意,这是不安全的,因为 SQL 注入是可能的。您可以使用带有函数的准备好的语句mysqli_*来防止这种情况。如果你不能使用mysqli_*你也可以使用mysql_real_escape_string().

您的代码将如下所示:

$q = "INSERT INTO dbUsers (username, password , email ) "
        ."VALUES ('".mysql_real_escape_string($_POST["username"])."', "
        ."'".mysql_real_escape_string($_POST["password"])."', "
        ."'".mysql_real_escape_string($_POST["email"])."')";
于 2012-08-25T14:27:27.860 回答