缺少密码检查
我使用下面的代码,它检查空字段并验证电子邮件,但即使密码正确,也无法登录。密码已插入md5保护,下面是代码。
PHP:
session_start();
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$email = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM accounts WHERE email = '$email'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: home.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['email'] | !$_POST['password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM accounts WHERE email = '".$_POST['email']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['password'] = stripslashes($_POST['password']);
$info['password'] = stripslashes($info['password']);
$_POST['password'] = md5($_POST['password']);
//gives error if the password is wrong
if ($_POST['password'] != $info['password']) {
die('Incorrect password, please try again.');
}
else
{
// if login is ok then we add a cookie
$_POST['email'] = stripslashes($_POST['email']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['email'], $hour);
setcookie(Key_my_site, $_POST['password'], $hour);
//then redirect them to the members area
header("Location: home.php");
}
}
}
else
{
// if they are not logged in
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>email:</td><td>
<input type="text" name="email" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="password" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
}
这是注册代码:
PHP:
// here we encrypt the password and add slashes if needed
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = mysql_escape_string($_POST['password']);
$_POST['email'] = mysql_escape_string($_POST['email']);
$_POST['full_name'] = mysql_escape_string($_POST['full_name']);
$_POST['user_url'] = mysql_escape_string($_POST['user_url']);
}
// now we insert it into the database
$insert = "INSERT INTO accounts (Uniquer, Full_name, Email, Password, User_url)
VALUES ('".$uniquer."','".$_POST['full_name']."', '".$_POST['email']."','".$_POST['password']."', '".$_POST['user_url']."')";
$add_member = mysql_query($insert);
使用 ini_set 函数后,我看到了错误,我收到此消息,但不确定它的含义:
There are the lines where the errors are at:
if ($pass != $info['password'])
以及这一行
if ($_POST['password'] != $info['password']) {
I am using the code below, it checks for empty fields and verifies email, but even if the password is correct it won't login. the password has been inserted with md5 protection, below is the code.
PHP:
session_start();
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$email = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM accounts WHERE email = '$email'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: home.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['email'] | !$_POST['password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM accounts WHERE email = '".$_POST['email']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['password'] = stripslashes($_POST['password']);
$info['password'] = stripslashes($info['password']);
$_POST['password'] = md5($_POST['password']);
//gives error if the password is wrong
if ($_POST['password'] != $info['password']) {
die('Incorrect password, please try again.');
}
else
{
// if login is ok then we add a cookie
$_POST['email'] = stripslashes($_POST['email']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['email'], $hour);
setcookie(Key_my_site, $_POST['password'], $hour);
//then redirect them to the members area
header("Location: home.php");
}
}
}
else
{
// if they are not logged in
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>email:</td><td>
<input type="text" name="email" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="password" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
}
Here is the registration code:
PHP:
// here we encrypt the password and add slashes if needed
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = mysql_escape_string($_POST['password']);
$_POST['email'] = mysql_escape_string($_POST['email']);
$_POST['full_name'] = mysql_escape_string($_POST['full_name']);
$_POST['user_url'] = mysql_escape_string($_POST['user_url']);
}
// now we insert it into the database
$insert = "INSERT INTO accounts (Uniquer, Full_name, Email, Password, User_url)
VALUES ('".$uniquer."','".$_POST['full_name']."', '".$_POST['email']."','".$_POST['password']."', '".$_POST['user_url']."')";
$add_member = mysql_query($insert);
After using ini_set function i got to see the error, i am getting this message but not sure what it means:
There are the lines where the errors are at:
if ($pass != $info['password'])
and this line
if ($_POST['password'] != $info['password']) {
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我可以看到的一件事是,您在发布的密码(非 md5 版本)上使用
stripslashes,但在 md5 版本上使用它作为存储的密码。您实际上并不需要在数据库中的密码上使用
stripslashes,因为一开始就不应该使用斜杠来存储密码。如果您将以下内容更改为: 会发生什么情况
:
The one thing I can see is that you use
stripslasheson the posted password (the non-md5 version) but use it on the md5 version for the stored password.You shouldn't really need to use
stripslasheson the password in the database, since no password should be stored with slashed to begin with.What happens if you change:
To:
您尝试使用
$info['password']访问 db 字段,但数据库字段实际上是Password带有大写 P。您正在调用
mysql_escape_string将数据存储在数据库中,并在提交的登录表单上调用stripslashes。也许他们对密码做了不同的事情。还有一些需要考虑的事情:stripslashes或mysql_escape_string关于它。它已被转换为仅字母数字字符。mysql_escape_string已弃用。插入新注册后,手动 md5 使用的密码,然后对照数据库中存储的值检查该值。你可能会发现它们是不同的。
You are trying to access the db field with
$info['password'], but the database field is actuallyPasswordwith a capital P.You are calling
mysql_escape_stringto store the data in the db, and the callingstripslasheson the submitted login form. Perhaps they are doing different things to the password. A few more things to think about:stripslashesormysql_escape_stringon it. It has already been converted into only alphanumeric characters.mysql_escape_stringis deprecated.After inserting a new registration, manually md5 the used password, then check that value against the one stored in the db. You may find that they are different.
您前段时间用完全不同的代码问了类似的问题,所以我认为现在更多的是数据库问题。
您的密码字段是否允许 md5 哈希值包含 32 个字符?太短的密码字段会截断 md5 哈希,因此总是登录失败。
You asked a similar question some time ago with comepletely different code, so I'm assuming it's more of a database problem now.
Does your password field allow 32 characters for the md5 hash? A too short password field will truncate md5 hash, thus always failing login.
我解决了这个问题,如果你注意到查询中显示的是 SELECT *,而不是我尝试选择电子邮件、密码。
I solved it, if you notice in the queries it says SELECT *, instead i tried SELECT email, password.