通過MYSQL驗證PHP密碼的麻煩

我正在研究一個項目，我遇到了一個我認爲是一個簡單的修復程序，我只是沒有看到它。通過MYSQL驗證PHP密碼的麻煩

你可以看一下現場站點www.thriftstoresa.com的問題是與登錄頁面（http://www.thriftstoresa.com/Login.php）

有效的用戶名是「無」，它的密碼是「密碼」。

我遇到的問題是我總是返回'不正確的密碼，請再試一次。'

任何援助將不勝感激。正如你可能知道的，我是PHP新手。謝謝

<!doctype html> 
<html> 
<head> 
<meta charset="UTF-8"> 
<title>Acme Online</title> 

<script src="formenhance.js"></script> 

<style type="text/css"> 
<!-- 
p.MsoNormal { 
margin:0in; 
margin-bottom:.0001pt; 
font-size:12.0pt; 
font-family:Cambria; 
} 
--> 
</style> 
<link href="styles/main.css" rel="stylesheet" type="text/css"> 

</head> 

<body> 
<?php // Connect to Database 
mysql_connect(LEFT OUT OF THE CODE ON PURPOSE) or die(mysql_error()); 
mysql_select_db('thriftstoresa.com') or die(mysql_error()); 

//Checks if there is a login cookie 
if(isset($_COOKIE['ID_my_site'])) 
//if there is, it logs you in and directs to the catalog page 
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site']; 
    $check = mysql_query("SELECT * FROM acme WHERE Username = '$username'")or die(mysql_error()); 
while($info = mysql_fetch_array($check)) 
    { 
    if ($pass != $info['password']) 
     { 
        } 
    else 
     { 
     header("Location: catalog.php"); 
     } 
    } 
} 

//if the login form is submitted 
if (isset($_POST['submit'])) { // if form has been submitted 
// makes sure they filled it in 
    if(!$_POST['username'] | !$_POST['pass']) { 
     die('You did not fill in a required field.'); 
    } 

// checks it against the database 
    if (!get_magic_quotes_gpc()) { 
     $_POST['email'] = addslashes($_POST['email']); 
    } 
    $check = mysql_query("SELECT * FROM acme WHERE Username = '".$_POST['username']."'")or  die(mysql_error()); 

//Gives error if user doesn't exist 
$check2 = mysql_num_rows($check); 
if ($check2 == 0) { 
     die('That user does not exist in our database. <a href=contact.php>Click Here to Register</a>'); 
      } 
while($info = mysql_fetch_array($check))  
{ 

$_POST['pass'] = stripslashes($_POST['pass']); 
    $info['password'] = stripslashes($info['password']); 
    $_POST['pass'] = md5($_POST['pass']); 

//gives error if the password is wrong 
    if ($_POST['pass'] != $info['password']) { 
     die('Incorrect password, please try again.'); 
    } 
else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour); 

//then redirect them to the members area 
header("Location: contact.php"); 
} 
} 
} 
else 
{ 
// if they are not logged in 
?> 


<div id="wrapper"> 
    <section id="leftcolumn"> 
    <nav id="navigation"><li><a href="#">Login</a></li> 
         <li><a href="catalog.php">Catalog</a></li> 
         <li><a href="contact.php">Contact Us</a></li> 
    </nav> 
    </section> 
    <section id="main"> 
    <div align="center"><img src="images/ACMELogo.png" width="225" height="70" alt=""/></div> 
    <article id="catalogofitems"> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span  style="font-family:Arial;">Please Log In</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span  style="font-family:Arial; ">____________________________________</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times;  ">&nbsp;</span></p> 

     <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

     <p><strong>Member Login</strong></p> 
     <p> 
      <label for="textfield">Username:</label> 
      <input name="username" type="text" size="25" maxlength="22"> 
     </p> 
     <p> 
      <label for="password">Password:</label> 
     <input name="pass" type="password" size="25" maxlength="22"> 

     </p> 
     <p> 
      <input name="submit" type="submit" id="Login" value="Login"> 
     </form> <?php }  ?> 
     </p> 
     <p><strong><a href="contact.php">Create an Account</a></strong></p> 
     </form> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <form id="form1" name="form1" method="post"> 
     <div align="center"></div> 
     </form> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">ACME Corp</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">Trademark of the ACME Company and Distribution</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">1920-2013, a part of  Road Runner Conglomerate</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"></p> 
    </article> 
    </section> 
     <section id="rightcolumn"><img src="images/Wiley_ACME_LOGO.jpg" width="315" height="234" alt=""/>  </section> 
</div> 
</body> 
</html>

來源

2014-11-21 86Tango

你有一個'|'在'$ _ POST [失蹤'用戶名'] | ！$ _ POST ['pass']）'應該讀爲'$ _POST ['username'] || ！$ _ POST ['pass']）' - 以此開始。 – 2014-11-21 21:42:53

你永遠不應該告訴未經身份驗證的網站訪問者，不管它是用戶名還是密碼不正確。另外，在獲取結果集之前，已知'mysql_num_rows（）'是不可靠的。另外，'acme'表中'password'列的數據類型是什麼，當用戶更改密碼時這些值是如何設置的？另外，請閱讀http://php.net/manual/en/function.password-hash.php，並考慮停止使用'md5（）'進行密碼散列。這些日子來破解是微不足道的。 – 2014-11-21 21:50:51

謝謝Fred -ii-我錯過了。和Ollie瓊斯，數據類型是Varchar – 86Tango 2014-11-21 21:59:47

你應該考慮使用像https://github.com/auraphp/Aura.Auth之類的東西。您已經展示的代碼正在引發更多問題，正如tadman在評論中提到的那樣。

來源

2014-11-22 16:21:50

所以我會指出一些我看到的可以幫助你的東西。首先如果你只是學習php然後忘記mysql並學習mysqli。因爲它將不再存在於較新的PHP版本中。這就是說讓我們看看你有什麼。

//cookie only when they have entered in a correct login and password 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site']; 
//needs to have another `|` 
if(!$_POST['username'] || !$_POST['pass']) { 
//here your checking md5($_POST['password']) against $info['password'] 
if ($_POST['pass'] != $info['password']) { //is info password md5() hashed?

這裏有一個建議，這可能節省了一些時間在你的代碼

$sql="SELECT * FROM users WHERE email=\"".$email."\" AND md5(password)=\"".md5($password)."\""; 
    $query=mysql_query($sql); 
    if(mysql_num_rows($query)==0) 
    { 
     echo "Incorrect Login"; 
    } 
    else 
    { 
     $row = mysql_fetch_array($query); 
     //set your cookies here 
     $username = $_COOKIE['ID_my_site']; 
     $pass = $_COOKIE['Key_my_site']; 
     $_SESSION['user_id-'.$_SERVER['SERVER_NAME']]=mysql_result($query,0); 
     //set a session of logged in by your server name and mysql_result and i would use an identifying ID number for every user. 
     echo "Successfully Logged In"; 
    } 
//to check if some one is logged in 
if(!empty($_SESSION['user_id-'.$_SERVER['SERVER_NAME']])) redirect("index.php?action=alreadyloggedin"); 
//session variable can be w/e you want

我也不會用MD5和而SHA1

來源

2017-03-15 02:52:23 DarkSideKillaz

通過MYSQL驗證PHP密碼的麻煩

回答

相關問題