密码加密登录问题

我有问题在我的sql数据库中查找和验证用户的加密密码。注册过程没问题，它使用他们的md5 ecrypted密码创建他们的行，但是当尝试登录时，它不会识别他们的密码。下面有什么用IM：密码加密登录问题

// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

// username and password sent from form 
$myusername = $_POST['myusername']; 
$mypassword = $_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection) 
$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='md5($mypassword)'"; 
$result=mysql_query($sql); 

// Mysql_num_row is counting table row 
$count=mysql_num_rows($result); 

// If result matched $myusername and $mypassword, table row must be 1 row 
if($count==1){ 

// Register $myusername, $mypassword and redirect to file "login_success.php" 
session_start(); 
$_SESSION['login'] = "$myusername";

来源

2013-02-20 Josh Woelfel

'md5（...）'被视为字面上的字符'md5（'。另外，不要使用MD5。请使用bcrypt或类似的东西。 – Blender 2013-02-20 05:08:39

使用password = md5（$ mypassword）as @Blender说 – 2013-02-20 05:09:33

从安全角度来看，md5（密码）='$ mypassword'也可以工作 – Class 2013-02-20 05:15:21

尝试

mysql_connect($host, $username, $password)or die("cannot connect"); 
mysql_select_db($db_name)or die("cannot select DB"); 

// username and password sent from form 
$myusername = $_POST['myusername']; 
$mypassword = $_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection) 
$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword); 

$sql="SELECT * FROM '".$tbl_name.". WHERE username='".$myusername."' and password='".md5($mypassword)."'"; 
$result=mysql_query($sql); 

// Mysql_num_row is counting table row 
$count=mysql_num_rows($result); 

// If result matched $myusername and $mypassword, table row must be 1 row 
if($count==1){ 

// Register $myusername, $mypassword and redirect to file "login_success.php" 
session_start(); 
$_SESSION['login'] = $myusername;

来源

2013-02-20 05:14:23

我有同样的问题并且我根据你的建议进行修改，但它仍然不起作用。你能帮我吗？ – 2013-09-24 12:46:32

@JohnR什么是确切的问题 – 2013-09-24 14:59:30

h ttp：//stackoverflow.com/questions/18978275/android-login-authentication-with-remote-mysql-database检查此链接。 – 2013-09-24 15:32:26

具有以下取代你$ sql中。我假设你在$ tbl_name -variable中有正确的表名。

$sql="SELECT * FROM ".$tbl_name." WHERE username='".$myusername."' and password='".md5($mypassword)."'";

来源

2013-02-20 06:18:08 iiro

大声笑你的代码是复杂的，生病提供我制作的脚本！

使用STMT意味着NO SQL INJECTION

如何加密密码（正确的方法!!!）

function Encrypt($text) { 
    $cost = 12; 
    $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.'); 
    $salt = sprintf("$2a$%02d$", $cost) . $salt; 
    $altered_text = crypt($text, $salt); 
    return $altered_text; 
} 

// Then use the code below to use the function 

$password = Encrypt($password);

在您的登录，请用蛮力保护

这里是一个蛮力强制保护代码

function BruteForce($user_id, $link) { 
    $now = time(); 
    $timespan = $now - (2 * 60 * 60); 
    if ($stmt = $link->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$timespan'")) { 
     $stmt->bind_param('i', $user_id); 
     $stmt->execute(); 
     $stmt->store_result(); 
     if ($stmt->num_rows > 5) { 
      return true; 
     } else { 
      return false; 
     } 
     $stmt->close(); 
    } 
}

然后使用下面的sql语句

CREATE TABLE `login_attempts` (
    `user_id` INT(11) NOT NULL, 
    `time` VARCHAR(30) NOT NULL 
) ENGINE=InnoDB

然后存储试图

function StoreAttempt($user_id, $link) { 
    $now = time(); 
    $stmt = $link->prepare("INSERT INTO login_attempts (user_id, time) VALUES (?, ?)"); 
    $stmt->bind_param("ss", $a, $b); 
    $a = $user_id; 
    $b = $now; 
    $stmt->execute(); 
    $stmt->close(); 
}

然后用它在行动

// user_id = the users id after you get the users id 
// link = the database connection 

if (BruteForce($user_id, $link) === true) { 
    // Too many login attempts 
} else { 
    // Store Attempt 
    StoreAttempt($user_id, $link); 
}

我建议你使用一个安全会议，而不是一个简单的一个

使用的代码如下

function SecureSession() { 
    $session_name = 'SecureSession'; 
    $secure = true; 
    $httponly = true; 
    if (ini_set('session.use_only_cookies', 1) === FALSE) { 
     die("Could not initiate a safe session (ini_set)"); 
    } 
    $cookieParams = session_get_cookie_params(); 
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
    session_name($session_name); 
    session_start(); 
    session_regenerate_id(true); 
}

要启动会议现在

SessionSecure();

如果您计划使用PHP自

使用下面

function SanitizeUrl($url) { 
    if ('' == $url) { 
     return $url; 
    } 
    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); 
    $strip = array('%0d', '%0a', '%0D', '%0A'); 
    $url = (string) $url; 
    $count = 1; 
    while ($count) { 
     $url = str_replace($strip, '', $url, $count); 
    } 
    $url = str_replace(';//', '://', $url); 
    $url = htmlentities($url); 
    $url = str_replace('&amp;', '&#038;', $url); 
    $url = str_replace("'", '&#039;', $url); 
    if ($url[0] !== '/') { 
     return ''; 
    } else { 
     return $url; 
    } 
}

这段代码的功能上面是防止PHP自前

然后使用它

SanitizeUrl($_SERVER['PHP_SELF']);

现在的实际登录功能

我建议使用电子邮件，然后在你的登录用户名，主要是因为你的电子邮件是不是唯一的！

function Login($email, $password, $link) { 
    if (empty($username) || empty($password)) { 
     // A field is empty 
     return false; 
    } else { 
     $sql = "SELECT `id`,`username`,`password` FROM `users` WHERE `email` = ?"; 
     if ($stmt = $link->prepare($sql)) { 
      $stmt->bind_param('s', $email); 
      $stmt->execute(); 
      $stmt->store_result(); 
      if ($stmt->num_rows == 1) { 
       $stmt->bind_result($db_id, $db_username, $db_password); 
       $stmt->fetch(); 
       if (BruteForce($db_id, $link) === false) { 
        $password = Encrypt($password); 
        if ($password == $db_password) { 
         // LOGGED IN, SET SESSION VARS 
         return true; 
        } else { 
         // Store Attempt 
         StoreAttempt($user_id, $link); 
         return false; 
        } 
       } else { 
        return false 
       } 
      } else { 
       return false; 
      } 
     } else { 
      return false; 
     } 
    } 
}

然后在行动

SessionSecure(); 

if (isset($_POST['DoLogin'])) { 
    $email = $_POST['login-email']; 
    $password = $_POST['login-password']; 
    if (Login($email, $password, $link) === true) { 
     // Logged in Redirect now! 
    } else { 
     // Login failed 
    } 
}

随意使用这个代码中使用它！ :)

来源

2015-11-01 16:36:21

密码加密登录问题

回答

相关问题