1
所以,我有以下代碼:數據庫密碼檢查
<?php
mysql_connect("HOSTADDRESS", "USERNAME", "PASS") or die(mysql_error());
mysql_select_db("DATABASENAME") or die(mysql_error());
//Checks if there is a login cookie;
if(isset($_COOKIE["ID_my_site"]))
//If there is, it logs you in and directs you to the member page
{
$username = $_COOKIE["ID_my_site"];
$pass = $_COOKIE["ID_my_site"];
$check = mysql_query("SELECT * FROM userdata WHERE emailaddress = '$emailaddress'") or die(mysql_error());
while($info = mysql_fetch_array($check))
{
if ($pass != $info["password"])
{
}
else
{
header("Location: members.php");
}
}
}
//If the login form is submitted;
if (isset($_POST["submit"])) { //If form has been submitted
//Makes sure they are filled in
if(!$_POST["emailaddress"] | !$_POST["pass"]) {
die("You did not fill in all required fields.");
}
//Checks it against the database;
if (!get_magic_quotes_gpc()) {
$_POST["email"] = addslashes($_POST["email"]);
}
$check = mysql_query("SELECT * FROM userdata WHERE emailaddress = '".$_POST["emailaddress"]."'") or die(mysql_error());
//Gives error if user doesn't exist;
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die("That users does not exist in our database. <a href=register.php>Click here to register</a>");
}
while($info = mysql_fetch_array($check))
{
$_POST["pass"] = stripslashes($_POST["pass"]);
$info["password"] = stripslashes($info["password"]);
$_POST["pass"] = md5($_POST["pass"]);
//Gives error if the password is wrong
if ($_POST["pass"] != $info["password"]) {
die("Incorrect password, please try again.");
}
else
{
//If login is ok then we add a cookie
$_POST["emailaddress"] = stripslashes($_POST["emailaddress"]);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST["emailaddress"], $hour);
setcookie(Key_my_site, $_POST["pass"], $hour);
//Then it redirects them to the members area
header("Location: members.php");
}
}
}
else
{
//If they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Email Address:</td><td>
<input type="text" name="emailaddress" maxlength="60">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="12">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
當我嘗試通過網站登錄,即使密碼是相同的數據庫的密碼,它讀取「密碼不正確,請再試一次。'如果我使用數據庫中找到的加密版本嘗試密碼,它也會顯示此消息。請有人可以幫我解決這個問題嗎?
在你的問題粘貼代碼,而不是一個可怕的廣告出沒的外部網站。 – geoffspear
**危險**:您正在使用[一個**過時的**數據庫API](http://stackoverflow.com/q/12859942/19068),並應使用[現代替換](http:// php。淨/手動/ EN/mysqlinfo.api.choosing.php)。你也**易受[SQL注入攻擊](http://bobby-tables.com/)**,現代的API會使[防禦]更容易(http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php)自己從。 – Quentin
您正在使用[不適合的哈希算法](http://php.net/manual/en/faq.passwords.php),需要[更好地照顧](https://www.owasp.org/index。 php/Password_Storage_Cheat_Sheet)的用戶密碼。 – Quentin