1
之前工作正常我已經重置了我的數據庫並註冊了,我們向散列添加了隨機鹽,並且註冊腳本工作正常,我們可以使用相同的密碼創建帳戶和帳戶,並且他們擁有不同的哈希值,但我們的登錄腳本是壞了,沒有登錄用戶,說他們的密碼不正確。將哈希加入鹽後無法使登錄腳本生效;在
不知道爲什麼 - 我們花了最後2個小時試圖修復它。我們使用了PHP錯誤檢查器(https://phpcodechecker.com/),沒有錯。
我們正在運行舊版本的PHP(5.6)和MySQL,並且當前無法更改。
<?php
ob_start();
session_start();
require_once 'dbconnect.php';
// it will never let you open index(login) page if session is set
if (isset($_SESSION['user'])!="") {
header("Location: index.php");
exit;
}
$error = false;
if(isset($_POST['btn-login'])) {
// prevent sql injections/ clear user invalid inputs
$email = trim($_POST['email']);
$email = strip_tags($email);
$email = htmlspecialchars($email);
$name = trim($_POST['name']);
$name = strip_tags($name);
$name = htmlspecialchars($name);
$pass = trim($_POST['pass']);
$pass = strip_tags($pass);
$pass = htmlspecialchars($pass);
// prevent sql injections/clear user invalid inputs
if(empty($name)){
$error = true;
$nameError = "Please enter your username.";
}
if(empty($pass)){
$error = true;
$passError = "Please enter your password.";
}
$res=mysql_query("SELECT userId, userEmail, userPass, userSalt, userSalt2 FROM users WHERE userName='$name'");
$row=mysql_fetch_array($res);
$row['userSalt']=$salt1;
$row['userSalt2']=$salt2;
// if there's no error, continue to login
if (!$error) {
$passwordHash = hash('sha256', $salt1 . $password . $salt2); // password hashing using SHA256
//$res=mysql_query("SELECT userId, userEmail, userPass, userSalt, userSalt2 FROM users WHERE userName='$name'");
//$row=mysql_fetch_array($res);
$count = mysql_num_rows($res); // if email/pass correct it returns must be 1 row
if($count == 1 && $row['userPass']==$passwordHash) {
$_SESSION['user'] = $row['userId'];
header("Location: dashboard.php");
} else {
$errMSG = "Incorrect Credentials, Try again...";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<script src="//code.jquery.com/jquery-1.10.2.js"></script>
<script>
$(function(){
$("#overallhead").load("overall_header.php");
$("#overallfoot").load("overall_footer.html");
});
</script>
<style>
body {
color: Thistle;
}
</style>
<div id="overallhead"></div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Creature Paradise</title>
<link rel="stylesheet" href="assets/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div class="container">
<div id="login-form">
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">
<div class="col-md-12">
<div class="form-group">
<h2 class="">Login</h2>
</div>
<div class="form-group">
<hr />
</div>
<?php
if (isset($errMSG)) {
?>
<div class="form-group">
<div class="alert alert-danger">
<span class="glyphicon glyphicon-info-sign"></span> <?php echo $errMSG; ?>
</div>
</div>
<?php
}
?>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span></span>
<input type="name" name="name" class="form-control" placeholder="Your Username" value="<?php echo $name; ?>" maxlength="40" />
</div>
<span class="text-danger"><?php echo $nameError; ?></span>
</div>
<div class="form-group">
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-lock"></span></span>
<input type="password" name="pass" class="form-control" placeholder="Your Password" maxlength="15" />
</div>
<span class="text-danger"><?php echo $passError; ?></span>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<button type="submit" class="btn btn-block btn-primary" name="btn-login">Sign In</button>
</div>
<div class="form-group">
<hr />
</div>
<div class="form-group">
<a href="register.php">Don't have an account? Sign up here! </a>
</div>
</div>
</form>
</div>
</div>
<div id="overallfoot"></div>
</body>
</html>
<?php ob_end_flush(); ?>
大量的代碼了新賬戶,新的哈希:減少對相關部分請 –
沒有你正在使用會停止SQL注入功能,你正在改變實際的密碼值與這些功能。 '用戶名'也是唯一的嗎?另外5.6支持'mysqli','pdo'和'password_hash' /'password_verify'。 – chris85