duanhui7329 2016-01-08 07:37
浏览 63
已采纳

PHP密码验证正在被绕过

I want users to enter one of 4 passwords to get access to my site. The landing page is index.html and the redirect page should be home.html

I used the following code and I am using an if statement to hash the entered password and compare it with the 4 acceptable hases. If they match then I want the page to redirect. Otherwise I want to display a JS alert.

My issue is that even if the wrong password is entered, it still redirects with no alert.

//Take the values from the html form and assign them to variables
$ID = $_POST['name'];
$userpassword = $_POST['password'];

//Check to see if the password matches the hashes
if (md5($userpassword) === '5b5c45f1b9e444d9e441211cfb325270' 
    or '17434cf0d4ba816cd776ff8b0ec532f1' 
    or '7a94fda2a6e81a1693533e6dc8501b37' 
    or '2d8b2ba14eeb0ac1fe474d468b720771') 
{
//Add the visitor name to our list
  mysqli_query($connect, "INSERT INTO `visitor list` (`Visitor Name`) VALUES ('$ID')") or die("Error in INSERT: ".mysqli_error($connect));

  echo "You have entered the correct password, congrats.";
// Redirect them to rest of site
   header("Location: http://localhost:82/home.html");
      die();

}

else {
  echo "<script type='text/javascript'>alert('Wrong Password');</script>";
}
  • 写回答

1条回答 默认 最新

  • duanjiaolia97750 2016-01-08 07:41
    关注

    The code is only doing the comparison in for the first md5 hash but you have 4 conditions you want to satisfy so you would replace your if condition with this:

    $hashedPassword = md5($userpassword);
if (   $hashedPassword == '5b5c45f1b9e444d9e441211cfb325270' 
    or $hashedPassword == '17434cf0d4ba816cd776ff8b0ec532f1' 
    or $hashedPassword == '7a94fda2a6e81a1693533e6dc8501b37' 
    or $hashedPassword == '2d8b2ba14eeb0ac1fe474d468b720771')

    The reason why it wasn't working is because the way PHP interpreted code was like this:

    if (false/true or true or true or true)

    The md5 strings were seen as 'true' values. A string is only false if it is empty or it is equal "0" (but that's kind of a separate topic you can read about here .. so it is necessary to repeat the comparison.

    An alternative way to do it would be to do this:

    if (in_array(md5($userpassword), ['5b5c45f1b9e444d9e441211cfb325270', '17434cf0d4ba816cd776ff8b0ec532f1', '7a94fda2a6e81a1693533e6dc8501b37', '2d8b2ba14eeb0ac1fe474d468b720771'])

    Basically it is checking if md5($userpassword) is defined in the array that is passed in the second argument.

    More info on in_array:

    in_array — Checks if a value exists in an array

    Usage bool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] )

    Link http://php.net/in_array

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 随身WiFi网络灯亮但是没有网络,如何解决?
  • ¥15 gdf格式的脑电数据如何处理matlab
  • ¥20 重新写的代码替换了之后运行hbuliderx就这样了
  • ¥100 监控抖音用户作品更新可以微信公众号提醒
  • ¥15 UE5 如何可以不渲染HDRIBackdrop背景
  • ¥70 2048小游戏毕设项目
  • ¥20 mysql架构,按照姓名分表
  • ¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分
  • ¥15 delphi webbrowser组件网页下拉菜单自动选择问题
  • ¥15 linux驱动,linux应用,多线程