我发布了我的问题here并且在我编辑这篇文章之前,它被关闭,因为不是一个真正的问题!
我有一个这样的登录表单:
<html>
<head>
<title>Password Checking Script</title>
</head>
<body>
<form action="check_user-pass.php" method="POST">
<h3>Please Login</h3>
User Name: <input type="text" name="user_name"><br>
Password: <input type="password" name="password">
<input type="submit" name="submit" value="Login!">
</form>
</body>
</html>
如您所见,此表单通过
check_user-pass.php对用户进行身份验证。它在我的数据库中查找那些凭证;如果它们存在,则返回
OK,否则返回值NO。所以我的问题是:我到底应该在
check_user-pass.php中包含什么代码?我试图添加更多的代码,但做不好!我现在的代码是:
<?php
ob_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("$db_name") or die(mysql_error());
echo "Connected to Database<br />";
// Check $username and $password
/*
if(empty($_POST['username']))
{
echo "UserName/Password is empty!";
return false;
}
if(empty($_POST['password']))
{
echo "Password is empty!";
return false;
}
*/
// Define $username and $password
$username=$_POST['username'];
$password=md5($_POST['pass']);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if ($count==1) {
echo "Success! $count";
} else {
echo "Unsuccessful! $count";
}
ob_end_flush();
?>
最佳答案
表单中的名称是user_name,但在脚本中要查找username
$username=$_POST['username'];
应该是
$username=$_POST['user_name'];
编辑:
如果在将密码放入数据库之前使用crypt加密密码,请尝试以下操作
$sql="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
$row = mysql_fetch_assoc($result);
if (crypt($password, $row['password']) == $row['password']){
session_register("username");
session_register("password");
echo "Login Successful";
return true;
}
else {
echo "Wrong Username or Password";
return false;
}
}
else{
echo "Wrong Username or Password";
return false;
}
编辑:
MyBB的密码似乎使用了大量的MD5哈希运算,试试这个
$sql="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
$row = mysql_fetch_assoc($result);
if (md5(md5($row['salt']).md5($password)) == $row['password']){
session_register("username");
session_register("password");
echo "Login Successful";
return true;
}
else {
echo "Wrong Username or Password";
return false;
}
}
else{
echo "Wrong Username or Password";
return false;
}
此外,散列也是一种方法,因此您无法取回数据库中已有的密码,您只需要让用户更改/更新他们的密码。
如果上面的方法有效的话,你就不必关闭加密,一切都会好起来的。
关于php - 检查数据库上的用户名和密码(包括脚本),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10691540/