0

我在我的 sql 数据库中查找和验证用户的加密密码时遇到问题。注册过程很好,它使用他们的 md5 加密密码创建他们的行,但是当尝试登录时,它不会识别他们的密码。这是我使用的东西:

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername = $_POST['myusername']; 
$mypassword = $_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='md5($mypassword)'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_start();
$_SESSION['login'] = "$myusername";
4

3 回答 3

0

尝试

mysql_connect($host, $username, $password)or die("cannot connect"); 
mysql_select_db($db_name)or die("cannot select DB");

// username and password sent from form 
$myusername = $_POST['myusername']; 
$mypassword = $_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM '".$tbl_name.". WHERE username='".$myusername."' and password='".md5($mypassword)."'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_start();
$_SESSION['login'] = $myusername;
于 2013-02-20T05:14:23.220 回答
0

将您的 $sql 替换为以下内容。我假设您在 $tbl_name -variable 中有正确的表名。

$sql="SELECT * FROM ".$tbl_name." WHERE username='".$myusername."' and password='".md5($mypassword)."'";
于 2013-02-20T06:18:08.977 回答
0

大声笑你的代码太复杂了,我提供了我制作的脚本!

使用 STMT 意味着没有 SQL 注入

如何加密您的密码(正确的方法!!!)

function Encrypt($text) {
  $cost = 12;
  $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
  $salt = sprintf("$2a$%02d$", $cost) . $salt;
  $altered_text = crypt($text, $salt);
  return $altered_text;
}

// Then use the code below to use the function

$password = Encrypt($password);

在您的登录中,请使用蛮力保护

这是蛮力保护代码

function BruteForce($user_id, $link) {
    $now = time();
    $timespan = $now - (2 * 60 * 60);
    if ($stmt = $link->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$timespan'")) {
        $stmt->bind_param('i', $user_id);
        $stmt->execute();
        $stmt->store_result(); 
        if ($stmt->num_rows > 5) {
            return true;
        } else {
            return false;
        }
        $stmt->close();
    }
}

然后使用下面的sql语句

CREATE TABLE `login_attempts` (
    `user_id` INT(11) NOT NULL,
    `time` VARCHAR(30) NOT NULL
) ENGINE=InnoDB

然后存储尝试

function StoreAttempt($user_id, $link) {
    $now = time();
    $stmt = $link->prepare("INSERT INTO login_attempts (user_id, time) VALUES (?, ?)");
    $stmt->bind_param("ss", $a, $b);
    $a = $user_id;
    $b = $now;
    $stmt->execute();
    $stmt->close();
}

然后在行动中使用它

// user_id = the users id after you get the users id
// link = the database connection

if (BruteForce($user_id, $link) === true) {
    // Too many login attempts
} else {
    // Store Attempt
    StoreAttempt($user_id, $link);
}

我建议您使用安全会话而不是普通会话

使用下面的代码

function SecureSession() {
    $session_name = 'SecureSession';
    $secure = true;
    $httponly = true;
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        die("Could not initiate a safe session (ini_set)");
    }
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
    session_name($session_name);
    session_start(); 
    session_regenerate_id(true);
}

现在开始会议

SessionSecure();

如果您打算使用 PHP SELF

在下面使用此代码

function SanitizeUrl($url) {
    if ('' == $url) {
        return $url;
    }
    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); 
    $strip = array('%0d', '%0a', '%0D', '%0A');
    $url = (string) $url;
    $count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }
    $url = str_replace(';//', '://', $url);
    $url = htmlentities($url);
    $url = str_replace('&', '&', $url);
    $url = str_replace("'", ''', $url);
    if ($url[0] !== '/') {
        return '';
    } else {
        return $url;
    }
}

上面的功能是针对 PHP SELF ex 的保护

然后使用它

SanitizeUrl($_SERVER['PHP_SELF']);

现在为实际的登录功能

我建议在您的登录名中使用电子邮件然后使用用户名,主要是因为您的电子邮件不是唯一的!

function Login($email, $password, $link) {
    if (empty($username) || empty($password)) {
        // A field is empty
        return false;
    } else {
        $sql = "SELECT `id`,`username`,`password` FROM `users` WHERE `email` = ?";
        if ($stmt = $link->prepare($sql)) {
            $stmt->bind_param('s', $email);
            $stmt->execute();
            $stmt->store_result();
            if ($stmt->num_rows == 1) {
                $stmt->bind_result($db_id, $db_username, $db_password);
                $stmt->fetch();
                if (BruteForce($db_id, $link) === false) {
                    $password = Encrypt($password);
                    if ($password == $db_password) {
                        // LOGGED IN, SET SESSION VARS
                        return true;
                    } else {
                        // Store Attempt
                        StoreAttempt($user_id, $link);
                        return false;
                    }
                } else {
                    return false
                }
            } else {
                return false;
            }
        } else {
            return false;
        }
    }
}

然后在行动中使用它

SessionSecure();

if (isset($_POST['DoLogin'])) {
   $email = $_POST['login-email'];
   $password = $_POST['login-password'];
   if (Login($email, $password, $link) === true) {
       // Logged in Redirect now!
   } else {
       // Login failed
   }
}

随意使用此代码!!!:)

于 2015-11-01T16:36:21.403 回答