-1
我发现这个forum thread做一个登录和注册系统,但它不检查密码是否正确,只有用户名。PHP登录不检查密码
这是我的登录页面代码:
<?php
include('config.php');
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from Form
$emailusername = mysqli_real_escape_string($obj->conn,$_POST['emailusername']);
$password = mysqli_real_escape_string($obj->conn,$_POST['password']);
$password = md5($password);
$sql="SELECT uid FROM users WHERE username='$emailusername' or email = '$emailusername' and password='$password'";
$result=mysqli_query($obj->conn,$sql);
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$active=$row['active'];
$count=mysqli_num_rows($result);
// If result matched $username and $username, table row must be 1 row
if($count==1)
{
$_SESSION['login_user'] = $emailusername;
header("location: index.php");
}
else
{
$error="<div style ='color:#c53131'>Your Login Name or Password is invalid</div>";
}
}
?>
</div>
<form class="fl" action="login.php" method="post">
<label>Username:</label><br/>
<input type="text" name="emailusername"/><br />
<br/>
<label>Password:</label><br/>
<input type="password" name="password"/>
<input type="submit" value=" Submit "/><br />
</form>
这是我使用的表格:
"uid INT(11) PRIMARY KEY AUTO_INCREMENT,".
"username VARCHAR(30) UNIQUE,".
"password VARCHAR(50),".
"name VARCHAR(100),".
"email VARCHAR(70) UNIQUE); ";
我新的PHP和不知道如何使它检查,如果密码是正确还是不正确。有什么建议么?
http://php.net/manual/en/function.password-verify.php – Trilarion
停止。即使你得到这个工作:这是原始代码,所以你应该投资于这个问题是值得怀疑的。这里有一些问题,但有一点真的会突然出现:“密码永远不应该存储在数据库中”。这是没有理由的,你只是通过这个创造了一个巨大的安全问题。 – arkascha
您是否听说过运营商优先级? – Neil