管理员登录到用户帐户
Admin login to user accounts
我有一个非常简单的登录脚本,它会按照您的预期运行并检查数据库中电子邮件和密码组合之间的匹配项。虽然我想知道是否有一种方法可以编辑此脚本,以便管理员可以像这样使用用户电子邮件:
user@hotmail.com
还有一个主密码什么的:
master123
要访问系统上的任何帐户?这是我当前的脚本:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}
?>
我试过添加:
if($_POST['password'] != 'master123'){
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
} else if($_POST['password'] == 'master123'){
哪项工作做得不够好?有什么想法吗?
在用户 table 中创建一个 master_passowrd 列,而不是像这样进行查询。
select * from user where `email` = '$email' AND (`password` = '$password' or `master_passowrd` = '$password')
我的方法很简单,不需要主密码。
管理员用户 运行 关闭一组不同的 cookie 和会话,这允许我以管理员身份登录,从管理员方面我可以 select 我想以哪个用户身份登录和即时创建他们的 cookie 和会话。这是有益的,因为:
您始终知道登录的是否是真正的管理员用户and/or所做的更改,因为您将拥有 2 组 cookie 等。
我可以轻松地检查多个用户,而无需注销成为管理员,当我想更改用户时,我只需替换用户端的 cookies/会话信息。
它还增加了一层额外的安全性,因为用户不会知道管理 cookie 的名称(希望如此)
如果您不想这样做,只需通过调用数据库并获取电子邮件并通过并创建会话来创建用户会话,不需要主密码。
我通常会加倍哈希密码
sha1(md5($password)) 或
md5(sha1($密码)) 或
md5(md5($密码))
不确定这是否对您有帮助。
编辑:如果您想使用他们的用户名登录,请在您的管理员端创建一个表单,例如:
<form action="login.php" method="post" id="user_login_admin">
<input type="text" name="user_email" id="user_email" placeholder="Enter User Email">
<input type="submit" name="user_temp_login" id="user_temp_login" value="Admin User Login">
</form>
那么您的新登录脚本将是:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}elseif($_POST['user_temp_login']){
$email_address = $conn->real_escape_string($_POST['user_email']);
$sql = "SELECT password from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
// no email address
}else{
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
?>
实际上您甚至不需要 select 密码,因为哈希不包含密码。但是如果有人在您登录时登录他们的帐户,您可能会从会话中启动,因为哈希值会发生变化。
脚本仍然可以优化(也不是 100% 安全的方式),你真的应该使用 PDO 或 Mysqli。这将停止 SQL 注入,即使您已经使用 real_escape_string 仍然可以进行 SQL 注入。
我有一个非常简单的登录脚本,它会按照您的预期运行并检查数据库中电子邮件和密码组合之间的匹配项。虽然我想知道是否有一种方法可以编辑此脚本,以便管理员可以像这样使用用户电子邮件:
user@hotmail.com
还有一个主密码什么的:
master123
要访问系统上的任何帐户?这是我当前的脚本:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}
?>
我试过添加:
if($_POST['password'] != 'master123'){
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
} else if($_POST['password'] == 'master123'){
哪项工作做得不够好?有什么想法吗?
在用户 table 中创建一个 master_passowrd 列,而不是像这样进行查询。
select * from user where `email` = '$email' AND (`password` = '$password' or `master_passowrd` = '$password')
我的方法很简单,不需要主密码。
管理员用户 运行 关闭一组不同的 cookie 和会话,这允许我以管理员身份登录,从管理员方面我可以 select 我想以哪个用户身份登录和即时创建他们的 cookie 和会话。这是有益的,因为:
您始终知道登录的是否是真正的管理员用户and/or所做的更改,因为您将拥有 2 组 cookie 等。
我可以轻松地检查多个用户,而无需注销成为管理员,当我想更改用户时,我只需替换用户端的 cookies/会话信息。
它还增加了一层额外的安全性,因为用户不会知道管理 cookie 的名称(希望如此)
如果您不想这样做,只需通过调用数据库并获取电子邮件并通过并创建会话来创建用户会话,不需要主密码。
我通常会加倍哈希密码
sha1(md5($password)) 或
md5(sha1($密码)) 或
md5(md5($密码))
不确定这是否对您有帮助。
编辑:如果您想使用他们的用户名登录,请在您的管理员端创建一个表单,例如:
<form action="login.php" method="post" id="user_login_admin">
<input type="text" name="user_email" id="user_email" placeholder="Enter User Email">
<input type="submit" name="user_temp_login" id="user_temp_login" value="Admin User Login">
</form>
那么您的新登录脚本将是:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}elseif($_POST['user_temp_login']){
$email_address = $conn->real_escape_string($_POST['user_email']);
$sql = "SELECT password from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
// no email address
}else{
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
?>
实际上您甚至不需要 select 密码,因为哈希不包含密码。但是如果有人在您登录时登录他们的帐户,您可能会从会话中启动,因为哈希值会发生变化。
脚本仍然可以优化(也不是 100% 安全的方式),你真的应该使用 PDO 或 Mysqli。这将停止 SQL 注入,即使您已经使用 real_escape_string 仍然可以进行 SQL 注入。