doutan1905 2016-04-24 07:56
浏览 39
已采纳

安全问题,php / mysql [重复]

This question already has an answer here:

In my CMS i don't have a registration system. Just a login one,meaning that the password is predefined inside the table. Ie I put my username and my set up password and I can successfully login. However that password is visible inside my table. How can I hash it? When I do that using sha1,I can't login. I have to login with the exact password which is stored in the table.

Here is my code. 

<?php
 session_start();
 ?>
 <!DOCTYPE HTML>
 <html>
 <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   <title>Admin Area</title>
<link rel="stylesheet" href="login-css.css" media="all"/>
</head>

 <body>
 <div class="login">
 <h1>Admin Login</h1>
   <form method="post">
    <input type="text" name="user_name" placeholder="Username"   
    required="required" />
    <input type="password" name="user_pass" placeholder="Password" 
    required="required" />
    <button type="submit" class="btn btn-primary btn-block btn-large" 
     name="login">Admin Login</button>
</form>

</div>

<h2 style="color:#FFF; text-align:center"><?php echo 
@$_GET['not_authorized']; ?></h2>

</body>


</html>

<?php

  include("includes/connect.php");
if(isset($_POST['login'])){
    $user_name = mysqli_real_escape_string($con,$_POST['user_name']);
    $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']);


    $check_user = "select * from user where user_name='$user_name' AND user_password='$user_pass'";

    $run_user = mysqli_query($con,$check_user);



    if(mysqli_num_rows($run_user)>0){

        $_SESSION['user_name'] = $user_name;

        echo "<script>window.open('index.php?logged=You have successfully   
      Logged In','_self')</script>";
    }else{
        echo "<script>alert('Username or password is incorrect')</script>";
    }
  }
 ?>

And my table sql code.

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(10) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(100) NOT NULL,
  `user_password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=8 ;

INSERT INTO `user` (`id`, `user_name`, `user_password`) VALUES
(7, 'theo', 'test');

So the password should not be shown as test.

Any ideas,

Thanks.

</div>
  • 写回答

1条回答 默认 最新

  • duanlei1957 2016-04-24 08:03
    关注

    You can convert the password $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']); sha1 and pass it to query.

    But better idea is collect the user information with user name and check the converted password(sha1) string with the password column value you retrieved from the query.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 matlab答疑 关于海上风电的爬坡事件检测
  • ¥88 python部署量化回测异常问题
  • ¥30 酬劳2w元求合作写文章
  • ¥15 在现有系统基础上增加功能
  • ¥15 远程桌面文档内容复制粘贴,格式会变化
  • ¥15 关于#java#的问题:找一份能快速看完mooc视频的代码
  • ¥15 这种微信登录授权 谁可以做啊
  • ¥15 请问我该如何添加自己的数据去运行蚁群算法代码
  • ¥20 用HslCommunication 连接欧姆龙 plc有时会连接失败。报异常为“未知错误”
  • ¥15 网络设备配置与管理这个该怎么弄