1

下面的代码来自一个用 PHP 编写的登录脚本。它检查密码的数据库使用 MD5 加密密码,但是当登录脚本检查数据库的密码时,它正在检查未加密的原始密码。我熟悉 md5() 函数,但如何将其合并到以下内容中:

<?php
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if ($username && $password) {
    $connect = mysql_connect("host", "user", "password") or die("Couldn't connect");
    mysql_select_db("dbname") or die("Couldn't find the database");

    $query = mysql_query("SELECT * FROM users WHERE username='$username'");
    $numrows = mysql_num_rows($query);

    if ($numrows != 0) {
        while ($row = mysql_fetch_assoc($query)) {
            $dbusername = $row['username'];
            $dbpassword = $row['password'];
        }

        if ($username == $dbusername && $password == $dbpassword) {
            echo "You're in! Click <a href='../member.php'>here</a> to enter the member page.";
            $_SESSION['username'] = $username;
        }else{
            echo "Incorrect password";
        }
    }else{
        die("That username does not exist.");
    }
}else{
    die("Please enter a valid username and password.");
}
?>
4

2 回答 2

5

您应该检查和查询数据库以查找匹配项,而不是将结果记录下来并在本地检查它们。照这样说:

$password = md5($_POST['password']);

然后也改变:

SELECT * FROM users WHERE username='$username' AND password='$password'

但我也想看看使用PDO而不是将值直接放在 SQL 查询中。至少你应该使用它mysql_real_escape_string来避免注入攻击。

于 2012-10-01T00:13:03.793 回答
0 
    $salt=sha1($postpassword);
    $arr= strlen($postpassword);
    $count=ceil($arr/2);
    $stringarr=str_split($postpassword,$count);
    $password1=hash("sha512", $stringarr['0']); 

    $password2=$salt . ( hash( 'whirlpool', $salt . $stringarr['1'] ) );
    return $password1.$password2;
于 2013-11-14T07:23:44.067 回答