通过MYSQL验证PHP密码的麻烦

我正在研究一个项目，我遇到了一个我认为是一个简单的修复程序，我只是没有看到它。通过MYSQL验证PHP密码的麻烦

你可以看一下现场站点www.thriftstoresa.com的问题是与登录页面（http://www.thriftstoresa.com/Login.php）

有效的用户名是“无”，它的密码是“密码”。

我遇到的问题是我总是返回'不正确的密码，请再试一次。'

任何援助将不胜感激。正如你可能知道的，我是PHP新手。谢谢

<!doctype html> 
<html> 
<head> 
<meta charset="UTF-8"> 
<title>Acme Online</title> 

<script src="formenhance.js"></script> 

<style type="text/css"> 
<!-- 
p.MsoNormal { 
margin:0in; 
margin-bottom:.0001pt; 
font-size:12.0pt; 
font-family:Cambria; 
} 
--> 
</style> 
<link href="styles/main.css" rel="stylesheet" type="text/css"> 

</head> 

<body> 
<?php // Connect to Database 
mysql_connect(LEFT OUT OF THE CODE ON PURPOSE) or die(mysql_error()); 
mysql_select_db('thriftstoresa.com') or die(mysql_error()); 

//Checks if there is a login cookie 
if(isset($_COOKIE['ID_my_site'])) 
//if there is, it logs you in and directs to the catalog page 
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site']; 
    $check = mysql_query("SELECT * FROM acme WHERE Username = '$username'")or die(mysql_error()); 
while($info = mysql_fetch_array($check)) 
    { 
    if ($pass != $info['password']) 
     { 
        } 
    else 
     { 
     header("Location: catalog.php"); 
     } 
    } 
} 

//if the login form is submitted 
if (isset($_POST['submit'])) { // if form has been submitted 
// makes sure they filled it in 
    if(!$_POST['username'] | !$_POST['pass']) { 
     die('You did not fill in a required field.'); 
    } 

// checks it against the database 
    if (!get_magic_quotes_gpc()) { 
     $_POST['email'] = addslashes($_POST['email']); 
    } 
    $check = mysql_query("SELECT * FROM acme WHERE Username = '".$_POST['username']."'")or  die(mysql_error()); 

//Gives error if user doesn't exist 
$check2 = mysql_num_rows($check); 
if ($check2 == 0) { 
     die('That user does not exist in our database. <a href=contact.php>Click Here to Register</a>'); 
      } 
while($info = mysql_fetch_array($check))  
{ 

$_POST['pass'] = stripslashes($_POST['pass']); 
    $info['password'] = stripslashes($info['password']); 
    $_POST['pass'] = md5($_POST['pass']); 

//gives error if the password is wrong 
    if ($_POST['pass'] != $info['password']) { 
     die('Incorrect password, please try again.'); 
    } 
else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour); 

//then redirect them to the members area 
header("Location: contact.php"); 
} 
} 
} 
else 
{ 
// if they are not logged in 
?> 


<div id="wrapper"> 
    <section id="leftcolumn"> 
    <nav id="navigation"><li><a href="#">Login</a></li> 
         <li><a href="catalog.php">Catalog</a></li> 
         <li><a href="contact.php">Contact Us</a></li> 
    </nav> 
    </section> 
    <section id="main"> 
    <div align="center"><img src="images/ACMELogo.png" width="225" height="70" alt=""/></div> 
    <article id="catalogofitems"> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span  style="font-family:Arial;">Please Log In</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;border:none;padding:0in;"><span  style="font-family:Arial; ">____________________________________</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times;  ">&nbsp;</span></p> 

     <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 

     <p><strong>Member Login</strong></p> 
     <p> 
      <label for="textfield">Username:</label> 
      <input name="username" type="text" size="25" maxlength="22"> 
     </p> 
     <p> 
      <label for="password">Password:</label> 
     <input name="pass" type="password" size="25" maxlength="22"> 

     </p> 
     <p> 
      <input name="submit" type="submit" id="Login" value="Login"> 
     </form> <?php }  ?> 
     </p> 
     <p><strong><a href="contact.php">Create an Account</a></strong></p> 
     </form> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <form id="form1" name="form1" method="post"> 
     <div align="center"></div> 
     </form> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;">&nbsp;</p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">ACME Corp</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">Trademark of the ACME Company and Distribution</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"><span style="font-family:Times; font-size:8.0pt; ">1920-2013, a part of  Road Runner Conglomerate</span></p> 
     <p class="MsoNormal" align="center" style="text-align:center;"></p> 
    </article> 
    </section> 
     <section id="rightcolumn"><img src="images/Wiley_ACME_LOGO.jpg" width="315" height="234" alt=""/>  </section> 
</div> 
</body> 
</html>

来源

2014-11-21 86Tango

你有一个'|'在'$ _ POST [失踪'用户名'] | ！$ _ POST ['pass']）'应该读为'$ _POST ['username'] || ！$ _ POST ['pass']）' - 以此开始。 – 2014-11-21 21:42:53

你永远不应该告诉未经身份验证的网站访问者，不管它是用户名还是密码不正确。另外，在获取结果集之前，已知'mysql_num_rows（）'是不可靠的。另外，'acme'表中'password'列的数据类型是什么，当用户更改密码时这些值是如何设置的？另外，请阅读http://php.net/manual/en/function.password-hash.php，并考虑停止使用'md5（）'进行密码散列。这些日子来破解是微不足道的。 – 2014-11-21 21:50:51

谢谢Fred -ii-我错过了。和Ollie琼斯，数据类型是Varchar – 86Tango 2014-11-21 21:59:47

你应该考虑使用像https://github.com/auraphp/Aura.Auth之类的东西。您已经展示的代码正在引发更多问题，正如tadman在评论中提到的那样。

来源

2014-11-22 16:21:50

所以我会指出一些我看到的可以帮助你的东西。首先如果你只是学习php然后忘记mysql并学习mysqli。因为它将不再存在于较新的PHP版本中。这就是说让我们看看你有什么。

//cookie only when they have entered in a correct login and password 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site']; 
//needs to have another `|` 
if(!$_POST['username'] || !$_POST['pass']) { 
//here your checking md5($_POST['password']) against $info['password'] 
if ($_POST['pass'] != $info['password']) { //is info password md5() hashed?

这里有一个建议，这可能节省了一些时间在你的代码

$sql="SELECT * FROM users WHERE email=\"".$email."\" AND md5(password)=\"".md5($password)."\""; 
    $query=mysql_query($sql); 
    if(mysql_num_rows($query)==0) 
    { 
     echo "Incorrect Login"; 
    } 
    else 
    { 
     $row = mysql_fetch_array($query); 
     //set your cookies here 
     $username = $_COOKIE['ID_my_site']; 
     $pass = $_COOKIE['Key_my_site']; 
     $_SESSION['user_id-'.$_SERVER['SERVER_NAME']]=mysql_result($query,0); 
     //set a session of logged in by your server name and mysql_result and i would use an identifying ID number for every user. 
     echo "Successfully Logged In"; 
    } 
//to check if some one is logged in 
if(!empty($_SESSION['user_id-'.$_SERVER['SERVER_NAME']])) redirect("index.php?action=alreadyloggedin"); 
//session variable can be w/e you want

我也不会用MD5和而SHA1

来源

2017-03-15 02:52:23 DarkSideKillaz

通过MYSQL验证PHP密码的麻烦

回答

相关问题