Php 登录期间检查用户时出现密码哈希问题
嘿,最近有人告诉我md5对于密码来说是不够的,所以我已经开始改变了。目前,这是我的注册脚本的代码:Php 登录期间检查用户时出现密码哈希问题,php,registration,Php,Registration,嘿,最近有人告诉我md5对于密码来说是不够的,所以我已经开始改变了。目前,这是我的注册脚本的代码: <? session_start(); include 'db.php'; // Define post fields into simple variables $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $username = $_POST['username']; $email_addr
<?
session_start();
include 'db.php';
// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$username = $_POST['username'];
$email_address = $_POST['email_address'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
/* Let's strip some slashes in case the user entered
any escaped characters. */
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$username = stripslashes($username);
$email_address = stripslashes($email_address);
if((!$username) || (!$email_address)){
echo 'You did not submit the following required information! <br />';
if(!$username){
echo "Username is a required field. Please enter it below.<br />";
}
if(!$email_address){
echo "Email Address is a required field. Please enter it below.<br />";
}
include 'register.html'; // Show the form again!
/* End the error checking and if everything is ok, we'll move on to
creating the user account */
exit(); //if the error checking has failed, we'll exit the script!
}
if ( $password <> $confirm_password ){
echo "<br /><strong><div style=color:#FF0000;><center>Password and confirm password do not match!<BR></center></div></strong>";
include 'register.html';
exit();
}
/* Let's do some checking and ensure that the user's email address or username
does not exist in the database */
$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
$email_check = mysql_num_rows($sql_email_check);
$username_check = mysql_num_rows($sql_username_check);
if(($email_check > 0) || ($username_check > 0)){
echo "<br /><div style=color:#FF0000;><center>Please fix the following errors: </div><br /><br />";
if($email_check > 0){
echo "<strong><div style=color:#FF0000;><center>Your email address has already been used by another member in our database. Please submit a different Email address!</div><br />";
unset($email_address);
}
if($username_check > 0){
echo "<strong><div style=color:#FF0000;><center>The username you have selected has already been used by another member in our database. Please choose a different Username!</div><br />";
unset($username);
}
include 'register.html'; // Show the form again!
exit(); // exit the script so that we do not create this account!
}
/* Everything has passed both error checks that we have done.
It's time to create the account! */
$db_password = password_hash($passwod, PASSWORD_DEFAULT);
// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, signup_date)
VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', now())") or die (mysql_error());
if(!$sql){
echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
$userid = mysql_insert_id();
// Let's mail the user!
$subject = "Activation";
$message = "Dear $first_name $last_name,
Thank you for registering
To activate your membership, please click here: http://activate.php?id=$userid&code=$db_password
Once you activate your memebership, you will be able to login with the following information:
Username: $username
Password: $password
This is the first step towards a steady income from sports betting. Congratulations!
Thanks!
The Team
This is an automated response, please do not reply!";
mail($email_address, $subject, $message, "From: Activation<activation@y.com>\nX-Mailer: PHP/" . phpversion());
echo "<br /><div style=color:#0000FF;><center>Your membership information has been mailed to your email address! Please check it and follow the directions!</div>";
include 'login.html';
}
?>
正如您所说,您将密码存储为加密值。因此,在查询时,在应用于查询之前,必须使用相同的加密机制生成密码
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='"+fun($password)+"' AND activated='1'");
其中fun()是加密函数。检查您的密码\u或者验证
if (password_verify($password, $db_password)) {
// Success!
}
else {
echo "Invalid Credentials";
include 'login.html';
exit();
}
使用password\u verify()检查使用password\u hash()函数散列的密码。试试这个
$hash = password_hash($password, PASSWORD_BCRYPT);
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND
password='$hash' AND activated='1'");
在本部分中,您将检查用户名、密码和激活是否正确,但如果您有两行,他将设置会话,但您只需要一个用户。而不是使用'>0'使用'==1'。如果只有一条记录,则执行if语句。1。您的代码非常容易受到SQL注入的攻击,即使是这个世界上最强大的哈希算法也不足以保存您的网站。2.你使用哪个版本的PHP?刚刚更新到5.5-我想我现在也要研究sql注入了。你对我这里缺少的东西有什么意见吗?在继续sql注入之前,我想先了解一下这一点。在if条件下,使用if(password\u verify($password,$db\u password)){
。$db\u password
来自何处以及它的内容是什么?$db\u password=password\u hash($passwod,password\u DEFAULT);这是输入数据库的散列密码我不明白你的意思检查你只在这个块中添加注释如果(password\u verify($password,$db\u password)){//Success!}
你可能想检查这篇文章我尝试了这个,现在我得到了这个:警告:password\u verify()只需要2个参数,1个给定,警告:mysql\u num\u rows()需要参数1为资源,但给定的布尔值ini仍然需要:警告:mysql\u num\u rows()期望参数1是resource,boolean给定incould这与$db_密码有关吗?我没有将其存储在数据库中,这是我需要做的事情吗?我在这里非常困惑。因此我从用户处获取密码,然后对其进行加密并将该值保存为db_密码,然后将其发送到db。我应该存储$pa吗ssword也在数据库中?在运行此行之前,我是否需要取出保存在数据库中的哈希密码并将其分配给变量$db\u password?$sql=mysql\u查询(“从username='$username'和password='“+password\u verify($password,$db\u password)+”和“activated='1'”的用户中选择*)
这在下面的一行中给了我一个错误警告:mysql_num_rows()期望参数1是资源,在checkuser第19行中给出布尔值
$hash = password_hash($password, PASSWORD_BCRYPT);
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND
password='$hash' AND activated='1'");
if($login_check > 0){
// code
}