douhui8025 2017-04-07 15:01
浏览 71

mysql aes_encrypt和aes_decrypt

I'm trying to make a login system which encrypts and decrypt passwords in database(for my project). I can use aes_encrypt to encrypt password and store them in database.However, when I decrypt them later to find matching passwords for login, they don't work. It's like aes_decrypt is skipped and not ran because I have accounts with plaintext password stored in database and I can login with them but for accounts with encrypted passwords they don't work. I'm using Xampp with phpmyadmin for database. 

Signup file
<?php

if(isset($_POST['signup']))
{
mysql_connect("localhost","root","");
mysql_select_db("faceback");

$Email=$_POST['email'];

$que1=mysql_query("select * from users where Email='$Email'");
$count1=mysql_num_rows($que1);

if($count1>0)
{
echo "<script>
alert('There is an existing account associated with this email.');
</script>";
}
else
{
$Name=$_POST['first_name'].' '.$_POST['last_name'];
$Password=$_POST['password'];
$Gender=$_POST['sex'];
$Birthday_Date=$_POST['day'].'-'.$_POST['month'].'-'.$_POST['year'];
$FB_Join_Date=$_POST['fb_join_time'];

$day=intval($_POST['day']);
$month=intval($_POST['month']);
$year=intval($_POST['year']);
if(checkdate($month,$day,$year))
{
$que2=mysql_query("insert into 
users(Name,Email,Password,Gender,Birthday_Date,FB_Join_Date) 
values('$Name','$Email',AES_ENCRYPT('$Password','897sdn9j98u98jk'),
'$Gender','$Birthday_Date','$FB_Join_Date')");

session_start();
$_SESSION['tempfbuser']=$Email;
}

Login file
<?php


if(isset($_POST['Login']))
{
mysql_connect("localhost","root","");
mysql_select_db("faceback");

$user=$_POST['username'];
$pass=$_POST['password'];



$que1=mysql_query("select Email,AES_DECRYPT(Password,'897sdn9j98u98jk') from 
users where Email='$user' and Password='$pass'");
$count1=mysql_num_rows($que1);

if($count1>0)
{
session_start();
$_SESSION['tempfbuser']=$user;
}
  • 写回答

1条回答 默认 最新

  • dongzhi7641 2017-04-07 15:06
    关注

    You save the password into your database using AES_ENCRYPT('$Password','897sdn9j98u98jk' (in your query).

    But you try to retrieve the plain-text password from the database using 

    $pass=$_POST['password'];
// code omitted
$que1=mysql_query("select Email,AES_DECRYPT(Password,'897sdn9j98u98jk') from 
users where Email='$user' and Password='$pass'");
//                            ^^^^^^^^^^^^^^^^^

    That is the reason why you can login on accounts that have a plaintext password stored in your database.

    To fix that you have to search for the encrypted password in your WHERE clause:

    (...) WHERE (...) AND Password = AES_DECRYPT($pass, '897sdn9j98u98jk')

    However:

    You also should not use encryption to store your passwords. You should hash the password using password_hash() and verify them using password_verify(). For more information on why you need to hash your password instead of encrypting them read Fundamental difference between Hashing and Encryption algorithms.

    评论

报告相同问题?

悬赏问题

  • ¥15 linux驱动,linux应用,多线程
  • ¥20 我要一个分身加定位两个功能的安卓app
  • ¥15 基于FOC驱动器,如何实现卡丁车下坡无阻力的遛坡的效果
  • ¥15 IAR程序莫名变量多重定义
  • ¥15 (标签-UDP|关键词-client)
  • ¥15 关于库卡officelite无法与虚拟机通讯的问题
  • ¥15 目标检测项目无法读取视频
  • ¥15 GEO datasets中基因芯片数据仅仅提供了normalized signal如何进行差异分析
  • ¥100 求采集电商背景音乐的方法
  • ¥15 数学建模竞赛求指导帮助