Php 由于密码字段,注册失败错误?
我的应用程序在尝试使用用户名和密码注册时收到Php 由于密码字段,注册失败错误?,php,json,afnetworking,Php,Json,Afnetworking,我的应用程序在尝试使用用户名和密码注册时收到注册失败错误。这些是正在使用的函数 index.php(尝试使用任何用户名或密码注册时收到注册失败警报) api.php // register API function register($user, $pass) { //check if username exists in the database (inside the "login" table) $login = query("SELECT username FROM login WHE
注册失败
错误。这些是正在使用的函数
index.php(尝试使用任何用户名或密码注册时收到注册失败
警报)
api.php
// register API
function register($user, $pass) {
//check if username exists in the database (inside the "login" table)
$login = query("SELECT username FROM login WHERE username='%s' limit 1", $user);
if (count($login['result'])>0) {
//the username exists, return error to the iPhone app
errorJson('Username already exists');
}
//try to insert a new row in the "login" table with the given username and password
$result = query("INSERT INTO login(username, pass) VALUES('%s','%s')", $user, $pass);
if (!$result['error']) {
//registration is susccessfull, try to also directly login the new user
login($user, $pass);
} else {
//for some database reason the registration is unsuccessful
errorJson('Registration failed');
}
}
//login API
function login($user, $pass) {
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
if (count($result['result'])>0) {
// a row was found in the database for username/pass combination
// save a simple flag in the user session, so the server remembers that the user is authorized
$_SESSION['IdUser'] = $result['result'][0]['IdUser'];
// print out the JSON of the user data to the iPhone app; it looks like this:
// {IdUser:1, username: "Name"}
print json_encode($result);
} else {
// no matching username/password was found in the login table
errorJson('Authorization failed');
}
}
奇怪的是,当index.php
中的密码参数更改为任何像register这样的随机字符串($\u POST['username'],$\u POST['u any\u random\u string'))时,注册和登录过程就会工作;
唯一的问题是密码没有插入到数据库中,用户可以使用选定的用户名和任何伪造的密码登录
case "login":
//authenticates user but password isn't uploaded
login($_POST['username'], $_POST['_Any_Random_String']);
break;
//authenticates user but password isn't uploaded
case "register":
register($_POST['username'], $_POST['_Any_Random_String']);
break;
编辑上述代码允许用户joey
使用用户名joey
和输入的任何密码注册和登录。如果joey使用密码1234
注册,即使他使用密码1234
注册,他也可以在登录时使用密码12345678
或任何密码登录。此外,密码1234
或密码字段中的任何输入都不会存储到数据库中
应用程序如何根据需要通过$\u post['password']
发布密码
更新
Charles代理输出
command register
username fxjzfnfx
password ®0i!0öºk}p«)ÛèGS¡{
{
"error": "Registration failed"
}
在这里检查您的上一个查询正在执行什么。您是否同时获得这两个值。也可能需要表中的其他字段 更换这个
//try to insert a new row in the "login" table with the given username and password
$result = query("INSERT INTO login(username, pass) VALUES('%s','%s')", $user, $pass);
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
到
并替换这个
//try to insert a new row in the "login" table with the given username and password
$result = query("INSERT INTO login(username, pass) VALUES('%s','%s')", $user, $pass);
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
到
显然,在将密码存储到数据库之前,不会对其进行哈希运算,这是一种非常糟糕的做法。除此之外,我真的不明白你的问题是什么。你应该提供更好的细节,说明什么有效,什么无效。这看起来很奇怪,但应用程序就是这样来的。我用一个用例编辑了这个问题。基本上,当我尝试注册
register($\u POST['username',$\u POST['password')代码>它不工作。但是,当password参数设置为空字符串时,它可以工作,但数据库中没有存储密码。您尝试过调试这个问题吗?这个查询
函数做什么?它是否检查任何错误?那么SQL注入呢?您是否考虑过保护您的代码不受SQL注入的影响?我已经检查了错误日志,看看它说了些什么。该查询应该使用给定的用户名和密码在“login”表中插入新行。它确实通过}else{//检查错误,因为某些数据库原因,注册不成功errorJson('registration failed');}
。我将在登录成功后保护代码。是的。只有用户名被发布到数据库中。我会检查Charles proxy,看看上面写了什么,然后更新问题。你说的“检查”是什么意思?这是如何解决问题的?我将用错误日志中的结果更新问题。这很奇怪,因为它根本没有在错误日志中显示任何内容。唯一显示错误的是应用程序中的警报,该警报表示注册失败。
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);
// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username=". $user . " AND pass=" . $pass ." limit 1");