php 检查数据库上的用户名和密码(包括脚本)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10691540/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
check user name and password on database (script included)
提问by Pds Ir
I posted my question hereand before I edited the post it was closed as not a real question!
我在这里发布了我的问题,在我编辑帖子之前,它被关闭了,因为它不是一个真正的问题!
I have a login form like this:
我有一个这样的登录表单:
<html>
<head>
<title>Password Checking Script</title>
</head>
<body>
<form action="check_user-pass.php" method="POST">
<h3>Please Login</h3>
User Name: <input type="text" name="user_name"><br>
Password: <input type="password" name="password">
<input type="submit" name="submit" value="Login!">
</form>
</body>
</html>
As you see, this form authenticates the user through check_user-pass.php.
It looks for those credentials on my database; if they exist, returns OK, else returns value NO.
如您所见,此表单通过 对用户进行身份验证check_user-pass.php。
它在我的数据库中查找这些凭据;如果存在,则返回OK,否则返回值NO。
So my question is: exactly what code should I include in check_user-pass.php?
I tried to add more code but couldn't do that as well! My current code is:
所以我的问题是:我到底应该包含哪些代码check_user-pass.php?
我试图添加更多代码,但也做不到!我目前的代码是:
<?php
ob_start();
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("$db_name") or die(mysql_error());
echo "Connected to Database<br />";
// Check $username and $password
/*
if(empty($_POST['username']))
{
echo "UserName/Password is empty!";
return false;
}
if(empty($_POST['password']))
{
echo "Password is empty!";
return false;
}
*/
// Define $username and $password
$username=$_POST['username'];
$password=md5($_POST['pass']);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if ($count==1) {
echo "Success! $count";
} else {
echo "Unsuccessful! $count";
}
ob_end_flush();
?>
采纳答案by Musa
The name in you form is user_namebut in your script you look for username
您表单中的名称是您user_name在脚本中查找的名称username
$username=$_POST['username'];
should be
应该
$username=$_POST['user_name'];
EDIT:
If you use cryptto encrypt your password before you put them in the database, try this
编辑:
如果您在将密码放入数据库之前使用crypt对其进行加密,请尝试此操作
$sql="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
$row = mysql_fetch_assoc($result);
if (crypt($password, $row['password']) == $row['password']){
session_register("username");
session_register("password");
echo "Login Successful";
return true;
}
else {
echo "Wrong Username or Password";
return false;
}
}
else{
echo "Wrong Username or Password";
return false;
}
EDIT: myBB seems to use a crapload of md5 hashing for their passwords, try this
编辑:myBB 似乎对他们的密码使用了大量的 md5 散列,试试这个
$sql="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
$row = mysql_fetch_assoc($result);
if (md5(md5($row['salt']).md5($password)) == $row['password']){
session_register("username");
session_register("password");
echo "Login Successful";
return true;
}
else {
echo "Wrong Username or Password";
return false;
}
}
else{
echo "Wrong Username or Password";
return false;
}
Also hashing is one way so you can't get back the passwords already in the db, you'll just have to get the users to change/update their passwords.
If the above works then you wouldn't have to turn off encryption, and everything should be fine.
散列也是一种方法,因此您无法取回数据库中已有的密码,您只需要让用户更改/更新他们的密码。
如果上述方法有效,那么您就不必关闭加密,一切都应该没问题。
回答by aynber
Most times passwords in mysql databases are encrypted. If you entered them directly into the database, they may not have a salt. Try encrypting the password before you pass it into the query:
大多数情况下,mysql 数据库中的密码是加密的。如果您将它们直接输入到数据库中,则它们可能没有盐。在将密码传递给查询之前尝试加密密码:
$crypted_pass = crypt($password);
If there's a salt (often the first two letters of the username), pass that in with the crypt function:
如果有盐(通常是用户名的前两个字母),请使用 crypt 函数传递它:
$salt = substr($username, 0, 2);
$crypted_pass = crypt($password, $salt);
回答by n_starnes
Try something simple:
尝试一些简单的事情:
if ($count==1) {
echo "Success! $count";
} else {
echo "Unsuccessful! $count";
}
This will see if you are returning anything greater than 1 or more values.
这将查看您是否返回大于 1 或更多值的任何值。
