doutan1905 2016-04-24 07:56
浏览 39
已采纳

安全问题,php / mysql [重复]

This question already has an answer here:

In my CMS i don't have a registration system. Just a login one,meaning that the password is predefined inside the table. Ie I put my username and my set up password and I can successfully login. However that password is visible inside my table. How can I hash it? When I do that using sha1,I can't login. I have to login with the exact password which is stored in the table.

Here is my code. 

<?php
 session_start();
 ?>
 <!DOCTYPE HTML>
 <html>
 <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   <title>Admin Area</title>
<link rel="stylesheet" href="login-css.css" media="all"/>
</head>

 <body>
 <div class="login">
 <h1>Admin Login</h1>
   <form method="post">
    <input type="text" name="user_name" placeholder="Username"   
    required="required" />
    <input type="password" name="user_pass" placeholder="Password" 
    required="required" />
    <button type="submit" class="btn btn-primary btn-block btn-large" 
     name="login">Admin Login</button>
</form>

</div>

<h2 style="color:#FFF; text-align:center"><?php echo 
@$_GET['not_authorized']; ?></h2>

</body>


</html>

<?php

  include("includes/connect.php");
if(isset($_POST['login'])){
    $user_name = mysqli_real_escape_string($con,$_POST['user_name']);
    $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']);


    $check_user = "select * from user where user_name='$user_name' AND user_password='$user_pass'";

    $run_user = mysqli_query($con,$check_user);



    if(mysqli_num_rows($run_user)>0){

        $_SESSION['user_name'] = $user_name;

        echo "<script>window.open('index.php?logged=You have successfully   
      Logged In','_self')</script>";
    }else{
        echo "<script>alert('Username or password is incorrect')</script>";
    }
  }
 ?>

And my table sql code.

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(10) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(100) NOT NULL,
  `user_password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=8 ;

INSERT INTO `user` (`id`, `user_name`, `user_password`) VALUES
(7, 'theo', 'test');

So the password should not be shown as test.

Any ideas,

Thanks.

</div>
  • 写回答

1条回答 默认 最新

  • duanlei1957 2016-04-24 08:03
    关注

    You can convert the password $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']); sha1 and pass it to query.

    But better idea is collect the user information with user name and check the converted password(sha1) string with the password column value you retrieved from the query.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 正弦信号发生器串并联电路电阻无法保持同步怎么办
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 个人网站被恶意大量访问,怎么办
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)