douqiao8032
douqiao8032
2011-08-05 00:56
浏览 27
已采纳

md5和哈希的问题

<form action="inc/login/login.php" method="post" id="userLogon">
    <div class="field required">
        Username: <input type="text" name="regduser" tabindex="1" /><br />
        </div>
        <div class="field required">
        Password: <input type="password" name="regdpass" tabindex="2" /><br />
        </div>
        <input type="submit" name="submitUser" />
</form>

PHP

<?php
ob_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="ureviewdu"; // Database name 
$tbl_name="Student"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['regduser']; 
$mypassword=$_POST['regdpass'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("regduser");
session_register("regdpass"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

DB Submission img1

When I click submit for entering joe joe for user and pass. How do I get php to recognize joe for pass is actually '55abd89cb7ab6742370f0ad912fef335' ? How do i get php to be able to decipher this?

Anyone?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dsafew1231
    dsafew1231 2011-08-05 01:01
    已采纳
    SELECT * FROM $tbl_name WHERE uname='$myusername' and upass=MD5('$mypassword')
    

    However, I need to advise you to read the blog by fearless leader about using salted passwords and stronger hashing functions. Don't implement weak security.


    If the password in the database is already salted, you need to combine the plaintext password with the same salt before hashing. Ideally, each user has its own unique random salt, stored in the same row with the uname and upass. Then you can do this:

    SELECT * FROM $tbl_name WHERE uname='$myusername' 
      AND upass=MD5(CONCAT(usalt, '$mypassword'))
    
    点赞 评论
  • dsxi70423
    dsxi70423 2011-08-05 00:59

    Hash the password on the way in as well:

    $sql = "SELECT * FROM $tbl_name
        WHERE uname = '$myusername' and upass = MD5('$mypassword')";
    

    By the way, if your system isn't in production yet, I strongly advise you look for a more secure hashing algorithm such as SHA256. Not much of a change is required, as long as you have the ability to flush your current password records:

    $sql = "SELECT * FROM $tbl_name
        WHERE uname = '$myusername' and upass = SHA2('$mypassword', 256)";
    
    点赞 评论
  • douye2111
    douye2111 2011-08-05 01:27

    To answer your question directly, without giving an opinion on what is more secure:

    When I click submit for entering joe joe for user and pass. How do I get php to recognize joe for pass is actually '55abd89cb7ab6742370f0ad912fef335' ? How do i get php to be able to decipher this?

    $mypassword = md5(stripslashes($mypassword));
    
    $sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
    $result=mysql_query($sql);
    
    点赞 评论

相关推荐