当前位置: 文江博客话题详情

sha('$password') 返回空集

发布于 2024-11-17 12:38:54 字数 1092 浏览 5 评论 0原文

我有两个问题。 问题一: 我正在尝试创建一个注册表单,用户可以在我的网站上注册。 当我运行此 mysql 语句时,发现错误:

$sql "insert into users(username, password) values('$username, sha('$password'))";

重复条目 'da39a3ee5e6b4b0d3255bfef95601890afd80709' for key 'password' 尽管我多次更改了字符串 sha('$password') 。 请帮忙。

else{
   include("databaseconnection.php");
   $databaseconnect = connect($host,$user,$password,$database)
      or die("couldnot connect to database serever.\n");
   $database_select = mysql_select_db($database,$databaseconnect)
      or die("could not select dabases.\n " .mysql_error());
   $query2 = "insert into company(username,password)
      values('$username',sha1('$password'))";
   $result2 = mysql_query($query2,$databaseconnect);
   echo "you have been registered as '$companyloginName' <br/>";
   header("Location:/index.php");

我的登录php脚本如下:

   $result ="select username, password form users where username ='$username' and password = sha('$password');
    if(mysql_num_rows($reuslt)==1){
   echo"welcome '$username";
    }
原文

I have two problems.
problem one:
I am trying to create a registeration form where users can register with my website.
when I run this mysql statement a get dublicate entry found error:

$sql "insert into users(username, password) values('$username, sha('$password'))";

Duplicate entry 'da39a3ee5e6b4b0d3255bfef95601890afd80709' for key 'password'
despite the fact that I changed the the string sha('$password') several times.
please help.

else{
   include("databaseconnection.php");
   $databaseconnect = connect($host,$user,$password,$database)
      or die("couldnot connect to database serever.\n");
   $database_select = mysql_select_db($database,$databaseconnect)
      or die("could not select dabases.\n " .mysql_error());
   $query2 = "insert into company(username,password)
      values('$username',sha1('$password'))";
   $result2 = mysql_query($query2,$databaseconnect);
   echo "you have been registered as '$companyloginName' <br/>";
   header("Location:/index.php");

my login php script is as follow:

   $result ="select username, password form users where username ='$username' and password = sha('$password');
    if(mysql_num_rows($reuslt)==1){
   echo"welcome '$username";
    }

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

他不在意 2024-11-24 12:38:54

首先,我强烈建议不要单独使用 MySQL 的 sha() 或 PHP 的 sha1() 来进行密码哈希处理。 如果您的数据库遭到破坏,这对您的用户来说将是一个巨大的安全风险。

请花点时间阅读我之前关于密码哈希主题的回答以正确保护您的数据。

其次,您的代码容易受到 SQL 注入攻击。使用 mysql_real_escape_string() 转义之前要放入查询中的变量-手。

$query2 = "insert into company(username,password)
  values('" . mysql_real_escape_string($username) .
          "', sha1('" . mysql_real_escape_string($password) . "'))";

第三,您的 $password 变量被 databaseconnection.php 文件覆盖。

include("databaseconnection.php");
$databaseconnect = connect($host,$user, $password ,$database);

为了强调...

$databaseconnect = connect($host,$user,$password,$database);< /p>

因此,<稍后在查询中使用的 code>$password 仍然包含数据库连接的密码,而不是用户的密码。

更改databaseconnection.php中变量的名称,或者更好的是,使用数组来保存所有配置。

$dbConnectParams = array('host' => 'localhost'
                         'user' => 'myUser',
                         'pass' => 'myPassword',
                         'db' => 'myDB');

然后,按如下方式更改代码:

include("databaseconnection.php");
$databaseconnect = mysql_connect($dbConnectParams['host'],
                           $dbConnectParams['user'],
                           $dbConnectParams['pass'],
                           $dbConnectParams['db']);

由于在调用mysql_connect()时已经传递了数据库,因此不需要调用mysql_select_db()

First, I would STRONGLY advice against using MySQL's sha() or PHP's sha1() alone for password hashing purposes. This is a huge security risk for your users if your database gets compromised.

Please take the time to read my previous answer on the subject of password hashing to properly secure your data.

Second, your code is vulnerable to an SQL Injection attack. Use mysql_real_escape_string() to escape the variables you are going to put in your query before-hand.

$query2 = "insert into company(username,password)
  values('" . mysql_real_escape_string($username) .
          "', sha1('" . mysql_real_escape_string($password) . "'))";

Third, your $password variable is being overwritten by your databaseconnection.php file.

include("databaseconnection.php");
$databaseconnect = connect($host,$user, $password ,$database);

To put emphasis...

$databaseconnect = connect($host,$user,$password,$database);

Therefore, the $password used later on in your query still contains the password for the database connection, not your user's password.

Change the name of your variable in databaseconnection.php or even better still, use an array to hold all the configuration.

$dbConnectParams = array('host' => 'localhost'
                         'user' => 'myUser',
                         'pass' => 'myPassword',
                         'db' => 'myDB');

Then, change your code as follows:

include("databaseconnection.php");
$databaseconnect = mysql_connect($dbConnectParams['host'],
                           $dbConnectParams['user'],
                           $dbConnectParams['pass'],
                           $dbConnectParams['db']);

Since you are already passing the database when calling mysql_connect(), you do no need to call mysql_select_db().

回复 原文
っ左 2024-11-24 12:38:54

da39a3ee5e6b4b0d3255bfef95601890afd80709 是空字符串的 sha1 哈希值。确保您确实将密码插入到 SQL 查询中,例如通过回显查询而不是将其发送到 SQL 服务器。

编辑将新信息添加到您的问题后,请检查这两行:

include("databaseconnection.php");
$databaseconnect = connect($host,$user,$password,$database)

这里,$password 是用于连接到数据库的密码 。包含databaseconnection.php可能会覆盖之前在$password变量中的内容。

尝试echo $query2,您可能会亲眼看到,SQL 查询根本不包含任何密码,或者其中的密码与用户输入的密码不同。

da39a3ee5e6b4b0d3255bfef95601890afd80709 is the sha1 hash of the empty string. Make sure that you actually insert the password into your SQL query, for example by echoing the query instead of sending it to the SQL server.

Edit With the new information added to your question, check out these two lines:

include("databaseconnection.php");
$databaseconnect = connect($host,$user,$password,$database)

Here, $password is the password used to connect to the database. The inclusion of databaseconnection.php probably overwrites what was previously in the $password variable.

Try to echo $query2 and you'll probably see it for yourself, that the SQL query doesn't include any password at all or that the password therein is not the same as the one entered by the user.

回复 原文
枫以 2024-11-24 12:38:54

从注释行猜测,您可能不小心使用了“databaseconnection.php”中设置的连接密码而不是用户密码 - 您没有显示如何初始化 $password 字符串。

另请注意您的sql中不应该出现的逗号:

insert into company(username,password,)
                                     ^

我还没有测试这是否是原因,但您可能应该摆脱它并再次测试它。

另外,请认真考虑 pdo/prepared 语句以防止 sql 注入,如果您想从用户输入插入密码,则更是如此。

Guessing from the commented line, it may be possible you accidentally use the connection password that is set in 'databaseconnection.php' rather than the user password - you don't show how you initialize the $password string.

Also note the comma in your sql that shouldn't be there:

insert into company(username,password,)
                                     ^

I have not tested if that is the cause, but you should probably get rid of it and test it again.

Also, seriously consider pdo / prepared statements to prevent sql-injections, even more so if you want to insert the password from user input.

回复 原文
~没有更多了~

关于作者

猥︴琐丶欲为

暂无简介

文章
评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

勿忘初心

文章 0 评论 0

Ransom

文章 0 评论 0

似最初

文章 0 评论 0

痴者

文章 0 评论 0

不再见

文章 0 评论 0

Thera

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文