我想验证用户输入的密码与数据库中的密码。我已经知道它会检查用户名是否正确(如果用户名不存在,它会显示错误),但是当它尝试使用mysql密码验证密码时,它永远不会工作。工作'例子'在http://scapersclearing.com/fansite/login.php;这是PHP(注意base.php包含数据库信息和header.php,navigation.php和footer.php以及所有的前端)。我正计划添加html实体,并在此工作后阻止SQL注入。用户名:测试 - 密码:password89(MD5 c1c2434f064da663997b1a2a233bf9f6)数据库“验证”PHP
<?php
include("base.php"); //Include MySQL connection
$username = $_POST['username']; //Connect form username with strings
$password = $_POST['password']; //Connect form password with strings
$salt = "xia8u28jd0ajgfa"; //Define the salt string
$salt2 = "oqipoaks42duaiu"; //Define the second salt string
$password = md5($salt.$password.$salt2); //Encrypt the password
$result = mysql_query("SELECT * FROM members WHERE username = '".$username."'"); //Open the members table
while($row = mysql_fetch_array($result)) { //Convert the members table into an array
if ($username != $row['username']) { //If user entered username doesn't equal the database username
include("header.php"); //Print the message
include("navigation.php");
echo "Invalid username or password!";
include("footer.php");
}
else {
if ($row['password'] == $password) { //Validate username and password
setcookie('c_username', $username, time()+6000); //Set the username cookie
setcookie('c_password', $password, time()+6000); //Set the cookie
header("Location:index.php"); //Redirect to home page
} else {
include("header.php"); //Print the message
include("navigation.php");
echo "<div class=\"content\"><p>Invalid username or password!<p></div>";
include("footer.php");
} } }
?>
有它呼应了哈希数据库以及脚本创建的散列,以查看它们是否匹配。 – 2009-12-11 02:20:42
使用'SELECT * FROM MEMBERS WHERE username =?和password =?' - 如果返回一行,则密码正确,否则不正确。你的数据库没有验证密码 - 在你的例子中逻辑完全是PHP。 – 2009-12-11 02:23:21
另外,在将用户名直接传递到查询中时,您有一个巨大的潜在SQL注入漏洞。改用PDO。 – benjy 2009-12-11 02:27:39