在我的php登录脚本中,我使用md5()函数从db(数据库)中选择密码,但它不起作用.iT'S SHOW"密码不正确!!!!!!"虽然我将密码插入db WITH md5()函数.我的脚本中有什么问题?它是100%安全的脚本吗?
<?php
include("include/session.php");
include("header.php");
include("db.php");
?><head>
<link href="content/admincss/styleadmin.css" rel="stylesheet" type="text/css" />
</head>
<div id="container">
<br />
<?php
if ($_POST['admin'] = "Submit") {
$uname = mysql_real_escape_string(trim($_POST['uname_ad']));
$pass = md5(mysql_real_escape_string(trim($_POST['pass'])));
$u_ch = mysql_query("SELECT uname_ad FROM admin WHERE uname_ad = '$uname'") or die(mysql_error());
$u_ch_rel = mysql_num_rows($u_ch);
$p_ch = mysql_query("SELECT pass FROM admin WHERE pass = '$pass'") or die(mysql_error());
$p_ch_rel = mysql_num_rows($p_ch);
if (isset($uname, $pass)) {
$err = array();
if (empty($uname) && empty($pass))
$err[] = 'All field required.';
else {
if (empty($uname))
$err[] = 'Please write your username';
else {
if ($u_ch_rel !== 1)
$err[] = 'Username is not correct';
}
if (empty($pass))
$err[] = 'Please write your password';
else {
if ($p_ch_rel !== 1)
$err[] = 'Password is not correct';
}
}
if (!empty($err)) {
foreach ($err as $er) {
echo "<font color=red>$er</font><br>";
}
}
else {
if ($u_ch_rel = 1 && $p_ch_rel = 1) {
include "include/newsession.php"; //user session
$tm = date("Y-m-d H:i:s");
$ip = $_SERVER['REMOTE_ADDR'];
echo $ip;
$rt = mysql_query("insert into plus_login(id,uname,ip,tm)
values('$_SESSION[id]','$_SESSION[uname_ad]','$ip','$tm')");
echo mysql_error();
print "<script>";
print " self.location='content/index.php';";
print "</script>";
}
}
}
}
?>
</div>
下面的行总是会评估为TRUE,因为=它是赋值运算符docs,而不是比较运算符docs:
if($_POST['admin'] = "Submit")
它应该是:
if($_POST['admin'] == "Submit") 要么 if($_POST['admin'] === "Submit")
此外,可能没有"100%安全"这样的东西......对恶意人员来说只是有不同程度的困难.您可以通过在MD5调用中添加"salt"来提高安全性,如下所示:
$pass = md5('secret_sauce' . mysql_real_escape_string(trim($_POST['pass'])));
虽然sha1()docs正在成为存储密码的更好方法.
| 归档时间: |
|
| 查看次数: |
286 次 |
| 最近记录: |