use*_*563 1 php mysql encryption md5 login
下面的代码来自一个用PHP编写的登录脚本.它检查密码的数据库不使用MD5加密密码,但是当登录脚本检查数据库中的密码时,它正在检查原始密码而不加密.我熟悉md5()函数但是如何将其合并到以下内容中:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username && $password) {
$connect = mysql_connect("host", "user", "password") or die("Couldn't connect");
mysql_select_db("dbname") or die("Couldn't find the database");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username == $dbusername && $password == $dbpassword) {
echo "You're in! Click <a href='../member.php'>here</a> to enter the member page.";
$_SESSION['username'] = $username;
}else{
echo "Incorrect password";
}
}else{
die("That username does not exist.");
}
}else{
die("Please enter a valid username and password.");
}
?>
您应该检查并查询数据库以查找匹配项,而不是降低结果并在本地检查它们.照这样说:
$password = md5($_POST['password']);
然后还改变:
SELECT * FROM users WHERE username='$username' AND password='$password'
但我还要看一下使用PDO而不是将值直接放在SQL查询中.至少你应该mysql_real_escape_string用来避免注射攻击.