-2
我已經爲我的網站創建了註冊表單和登錄表單。一切工作正常,除了這一點:當試圖登錄到我的網站,我不得不輸入加密的密碼,而不是我實際輸入的密碼。我有註冊表格鹽漬和一切,所以我會讓它,使用戶可以用他實際輸入的密碼登錄? 感謝註冊表單錯誤?
Register.php
<?php
include 'header inc.php';
$error = "";
if (@$_POST['register']) {
$firstname = strip_tags($_POST['firstname']);
$lastname = strip_tags($_POST['lastname']);
$username = strip_tags($_POST['username']);
$email = strip_tags($_POST['email']);
$password1 = strip_tags($_POST['password']);
$password2 = strip_tags($_POST['passwordrepeat']);
$day = strip_tags($_POST['day']);
$month = strip_tags($_POST['month']);
$year = strip_tags($_POST['year']);
$dob = "$day/$month/$year";
if ($firstname == '') {
echo "Firstname cannot be left empty.";
}
else if ($lastname == '') {
echo "Lastname cannot be left empty.";
}
else if ($username == '') {
echo "Username cannot be left empty.";
}
else if ($email == '') {
echo "Email cannot be left empty.";
}
else if ($password1 == '') {
echo "Password cannot be left empty.";
}
else if ($password2 == '') {
echo "Repeat Password cannot be left empty.";
}
else if ($day == '') {
echo "The day you were born cannot be left empty.";
}
else if ($month == '') {
echo "The month you were born cannot be left empty.";
}
else if ($year == '') {
echo "The year you were born cannot be left empty.";
}
else {
//Check the username doesn't already exist
$check_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$numrows_username = mysql_num_rows($check_username);
if ($numrows_username != 0) {
echo 'That username has already been registered.';
}
else
{
$check_email = mysql_query("SELECT email FROM users WHERE email='$email'");
$numrows_email = mysql_num_rows($check_email);
if ($numrows_email != 0) {
$error = 'That email has already been registered.';
}
else
{
$salt1 = "francis";
$salt1 = md5($salt1);
$salt2 = "cookie";
$salt2 = md5($salt2);
$salt3 = "php";
$salt3 = md5($salt3);
$password1 = $salt1.$password1.$salt3;
$password1 = md5($password1.$salt2);
$password2 = $salt1.$password2.$salt3;
$password2 = md5($password2.$salt2);
if ($password1 != $password2) {
$error = 'The passwords don\'t match!';
}
else
{
//Register the user
$register = mysql_query("INSERT INTO users VALUES('','$firstname','$lastname','$username','$email','$password1','$dob','no')");
die('Regsitered successfully!');
}
}
}
}
}
?>
<html>
<head></head>
<body>
<h2 style="color:#848484;">Create Your Account</h2>
<form action='join.php' method='POST'>
<input type='text' name='firstname' onclick='value="" ' id='username1'/><p />
<input type='text' name='lastname' onclick='value=""'id='username1'/><p />
<input type='text' name='username'onclick='value=""'id='username1'/><p />
<input type='text' name='email' onclick='value=""'id='username1'/><p />
<input type='text' name='password' onclick='value=""'id='username1'/><p />
<input type='text' name='passwordrepeat' onclick='value=""'id='username1'/><p />
<input type='text' name='day' value='' size='3' maxlength='2' onclick='value=""'id='username1'/>
<input type='text' name='month' value='' size='6' maxlength='2' onclick='value=""'id='username1'/>
<input type='text' name='year' value='' size='4' maxlength='4' onclick='value=""'id='username1'/><p />
<input type='submit' name='register' value='Create Your Account'id='submit1' />
<?php echo $error; ?>
</form>
</body>
的login.php
<?php
include ('header inc.php');
if (isset($_POST['username'])&&($_POST['password'])) {
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$check_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$numrows = mysql_num_rows($check_username);
if ($numrows != 1) {
echo 'That User doesn\'t exist.';
}
else
{
$check_password = mysql_query("SELECT password FROM users WHERE password='$password' && username='$username'");
while ($row = mysql_fetch_assoc($check_password)) {
$password_db = $row['password'];
if ($password_db == $password) {
$_SESSION['username'] = $username;
header("Location: template.php");
}
}
}
}
?>
<h2 style="color:#848484;">    Login to Your Account</h2>
           <form action='login.php' method='POST'>
           <input type='text' name='username' id="username1"/><p />
           <input type='password' name='password' id="username1"/><p />
           <input type='submit' name='submit' value='Login to my Account' id="submit1" />
</form>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
讓我們來看看... sql注入漏洞,無效的html實體,使用'@'錯誤抑制,無法重新散列輸入到登錄表單中的密碼,使用已棄用/過時的mysql庫...我應該去上? –
1)你明白*爲什麼你要密碼? 2)您需要散列輸入的密碼並將其與數據庫中的散列進行比較以進行驗證。 3)你做錯了鹽,你需要爲每個密碼使用隨機鹽。 4)密碼散列時MD5被破壞。 5)使用PHP的密碼散列函數:http://php.net/password_hash – deceze
代碼如何修復所有這些/ – user3025939