2

我有一个正在运行的简单身份验证脚本,但我发现对于具有密码 admin 的用户 admin,具有密码 ADMIN 的用户 ADMIN 也可以登录。如何使此脚本区分大小写。我也知道可以做的加密,以便密码不存储为文本,只需要弄清楚如何使这个大小写敏感。

        if($_SERVER['REQUEST_METHOD'] == "POST" &&  mysql_real_escape_string($_POST['username'])!="" && mysql_real_escape_string($_POST['password']) !="") { // receive form sent via POST method

        $username = mysql_real_escape_string($_POST['username']); // prevent sql injection by using  "mysql_real_escape_string()"
        $password = mysql_real_escape_string($_POST['password']);
        $data = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

    if(mysql_num_rows($data) >0) {   // if the query returns a result then create session variables to show user is authenticated
      $_SESSION['logged'] = 1;
      $_SESSION['user'] = $username;
    }
  }
4

9 回答 9

8

您可以使用BINARY 类型来强制区分大小写:

"SELECT * FROM users WHERE BINARY username='$username' AND password='$password'"

应该注意的是 mysql_ 函数已被弃用。您应该切换到 mysqli 或 PDO 并使用准备好的语句。

于 2013-05-24T02:50:25.580 回答
2

首先,你真的应该散列密码。大小写的变化会给你一个不同的哈希,这样就可以解决问题。

如果您想以区分大小写的方式比较用户名,您可能还希望以这种方式存储它们并能够为登录名“foo”和“Foo”创建不同的用户。这是可能的,但您需要更改数据库表。更具体地说,您需要更改用户名列的列类型以包含字符集和排序规则

ALTER TABLE users MODIFY COLUMN username VARCHAR(64) CHARACTER SET 'latin1' COLLATION 'latin1_general_cs';
于 2013-05-24T05:38:23.427 回答
2

您需要将密码字段的排序规则设置为一个尾随“cs”而不是“ci”的值

“latin1_swedish_cs”而不是“latin1_swedish_ci”

ci 表示不区分大小写,cs 表示区分大小写

于 2013-05-24T06:00:41.797 回答
1

除非有理由不这样做,否则散列密码(我相信 MD5 仍然可以接受,尽管首选 SHA-256)。散列在传递流量时会产生一层安全性,因为需要强力解码它们。它还将大写 A 和小写 a 存储为不同的哈希值,因此它可以处理区分大小写的问题。

如果没有,您需要在密码字段上使用区分大小写的关联。

于 2013-05-24T02:50:26.640 回答
0

使用 PHP 比较查询返回的用户名和密码,区分大小写。

if(mysql_num_rows($data) >0) {   // if the query returns a result then create session variables to show user is authenticated
  $row = mysql_fetch_assoc($data);
  if ($row['username'] == $_POST['username'] && $row['password'] == $_POST['password']) {
    $_SESSION['logged'] = 1;
    $_SESSION['user'] = $username;
  }
}
于 2013-05-24T03:43:36.940 回答
0

只需更改latin1_general_cs在您的数据库中归档的用户名和密码的集合。

于 2014-04-25T03:51:28.303 回答
0
<?php
// user input

$username="abc";
$password="123";

$sql=SELECT username,password FROM tablename WHERE username='".$username."' AND password ='".$password."' limit 1
$result=mysqli_query($coni,$sql);
if(!mysqli_num_rows($result) == 1)
{
    echo "not found";
}
else
{
    while ($row=mysqli_fetch_array($result)) 
    { 
        $getu=$row[0];
        $getp=$row[1];
    }
    if($username===$getu && $password===$getp)
    {
        echo "username".$getu." password".$getp;
        echo "Login success";
    }
    else
    {
        echo "no";
    }
}
?>
于 2016-07-23T06:26:23.350 回答
0

该程序确定存在的用户名或电子邮件未被验证。此代码是 JSON 格式的服务器响应。能够通过在语句中使用 WHERE BINARY 来比较区分大小写。

<?php
require "main.php";
$response = array();
$num = 0;

if($_SERVER['REQUEST_METHOD']=='POST'){
if(isset($_POST['username']) and
    isset($_POST['email']) and
        isset($_POST['password'])){

            $username= $_POST["username"];
            $password= $_POST["password"];
            $email= $_POST["email"];


            $mysql_qry = "select * from users where binary username like '$username' and binary email like '$email'";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 ){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Username and Email is already exists!";
                $num = 1;
            }

            $mysql_qry = "select * from users where binary username like '$username'";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 && $num == 0){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Username is already exists!";
                $num = 1;
            }

            $mysql_qry = "select * from users where binary email like '$email';";
            $result = mysqli_query($conn ,$mysql_qry);

            if(mysqli_num_rows($result) > 0 && $num == 0){
                //User already exists, choose different username or email!
                $response['error'] = true;
                $response['message'] = "Email is already exists!";
                $num = 1;
            }


            if($num == 0){
                $mysql_qry = "insert into users (username, password, email) values ('$username', '$password', '$email')";

                if($conn->query($mysql_qry) === TRUE ){
                    //Registration Successful!
                    $response['error'] = true;
                    $response['message'] = "Registration Successful!";
                }else{
                    //Registration Failed!
                    $response['error'] = true;
                    $response['message'] = "Registration Failed!";
                }
            }   
}else{
    //Require fields are missing!
    echo "missing";
}   
}else{
//Invalid Request!
echo "invalid";
}

echo json_encode($response);
?>
于 2017-08-22T15:40:05.097 回答
0

使用 PHP 的password_hash()功能,不应该出现区分大小写的问题,因为它会处理这个问题。

于 2018-07-25T19:04:57.593 回答