dszn2485 2015-04-07 02:25
浏览 42
已采纳

too long

SCROLL DOWN TO HELP ME, THE PROBLEM IS EXPLAINED.

PROBLEM ALMOST SOLVE !

I am trying to perform an automatic login script with cookies and I came across a very interesting tutorial: http://blog.monstruosor.com/2013/05/18/php-auto-connexion-par-cookie/

Here is the code he proposes :

function autologin() {
$key = $_COOKIE['autologin'];

$ip = $_SERVER['REMOTE_ADDR'];

$query = "SELECT * FROM users WHERE SHA1(CONCAT('SEL1-df546', `name`, `id`, 'SEL2-sd55fd', `last_connection`, $ip))=$key";
$infos = $users->exec($query);

if(!is_array($infos) || empty($infos)) {
    // Mauvais cookie !
    return false;
}

$_SESSION['user'] = $infos; // Mise en SESSION
return true;

The main line that interests me is this one: 

$query = "SELECT * FROM users WHERE SHA1(CONCAT('SEL1-df546', `name`, `id`, 'SEL2-sd55fd', `last_connection`, $ip))=$key";
$infos = $users->exec($query);

However, it is not secure. I want to know how to use an application prepared on this line. I tried this but it does not work:

    $req = $this->_db->prepare("SELECT * FROM Members WHERE SHA1(CONCAT(HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`, ip = :ip)) = :key");
    $req->execute(array(
        'ip' => htmlspecialchars($ip),
        'key' => htmlspecialchars($key)));

The $this->_db is from my class and is well written don't worry. The problem comes from here :

$req = $this->_db->prepare("SELECT * FROM Members WHERE SHA1(CONCAT(HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`, ip = :ip)) = :key");

Hope someone has a solution.

Here's more information :

my index.php page contains :

$ip = $_SERVER['REMOTE_ADDR'];
$key = $_COOKIE['auto_login'];
$mg->autoLogin($ip, $key);

and my autoLogin method from my class :

    public function autoLogin($ip, $key)
{
    $req = $this->_db->prepare("SELECT * FROM Members WHERE SHA1(CONCAT(HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`, :ip)) = :key");
    $req->execute(array(
        'ip' => htmlspecialchars($ip),
        'key' => htmlspecialchars($key)));
    $donnee = $req->fetch();    
    $req->closeCursor();
    if(!is_array($donnee) || empty($donnee)) 
    {
       return false;
    }
    else
    {
        $_SESSION['user'] = $donnee;
        return true;
    }
}

If you still need more information, just ask me, I'll update my question again !

HERE'S THE LAST PROBLEM

Thanks to pala_ who almost resolve it

I know where the problem is. In my database, the IP stored of the member I'm trying to log in is " ::1 ". But when I do " echo $ip; " which is generated here : "$ip = $_SERVER['REMOTE_ADDR']; ", I have " 127.0.0.1 " ! It's not the same IP when I do my verification so the problem is probably here ! Any idea how to fix this ?

The problem is here because if I do " $ip = '::1'; ", it's WORKING. Any idea??

  • 写回答

1条回答 默认 最新

  • dongzhi6382 2015-04-07 02:53
    关注

    Try this:

    $req = $this->_db->prepare("SELECT * FROM Members WHERE SHA1(CONCAT('HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`, :ip)) = :key");

    The error is here: ip = :ip just needs to be :ip and also here CONCAT(HASH1-1dg9sf' needs to be CONCAT('HASH1-1dg9sf'

    Here is some complete, tested (and working) code. Uses PDO.

     $stmt = $pdo->prepare("SELECT * FROM users WHERE SHA1(CONCAT('HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`, :ip)) = :key");
        $ip = '10.0.0.1';
        $key = 'HASH1-1dg9sf2himHASH2-dt5w1qalso10.0.0.1';
        $key = sha1($key);
        $res = $stmt->execute(array('ip' => $ip, 'key' => $key));
        print_r($stmt->fetchAll(PDO::FETCH_ASSOC));

    And has the following output: Array

    (
    [0] => Array
        (
            [id] => 2
            [first_name] => him
            [last_name] => also
            [ip] => 10.0.0.1
        )

)

    which is retrieved from the following row from my test database:

    mysql> SELECT * FROM users WHERE SHA1(CONCAT('HASH1-1dg9sf', `id`, `first_name`, 'HASH2-dt5w1q', `last_name`,'10.0.0.1'));
+------+------------+-----------+-----------+
| id   | first_name | last_name | ip        |
+------+------------+-----------+-----------+
|    1 | me         | last      | 127.0.0.1 |
+------+------------+-----------+-----------+
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP