PHP x==x 但是如果语句说 x!=x
PHP x==x but if statement says x!=x
我有一个 checklogin.php:
<?php
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="database1"; // Database name
$tbl_name="users"; // Table name
$lastLogDate=date("l, m/d/y, h:i:sa");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT password FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$realpassword=mysql_result($result, 0);
define("ENCRYPTION_KEY", "!@#$%^&*");
function decrypt($encrypted_string, $encryption_key) {
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
return $decrypted_string;
}
$realpassword=decrypt($realpassword, ENCRYPTION_KEY);
if ($mypassword == $realpassword) {
session_register("myusername");
session_register("mypassword");
session_register("userid");
session_register("finalemail");
$sqldate="UPDATE userdata SET lastLog = '$lastLogDate' WHERE username = '$myusername'";
$resultdate=mysql_query($sqldate);
header("location:/home");
}
else {
echo "Wrong Username or Password<br>";
}
?>
有人用login.php登录时,输入的密码与解密后数据库中的密码相同,还是"wrong username or password"。我添加了一个回声来查看解密是否有效,但它正确返回。我创建了一个新帐户并尝试使用该帐户登录,并且成功了。这仅在我添加加密之前不适用于帐户,我只是自己加密了密码。也许这就是问题所在?
你的问题有两个方面。
首先,mcrypt 在编码之前用尾随的空字节填充您的数据(如果您不自己应用填充,例如 PKCS7);解码后你需要去除那些空字节:
$realpassword = rtrim($realpassword, "[=10=]");
其次,您不应该对密码使用加密;相反,使用 password hashing API; see this answer 作为示例。
可能旧密码受这些转换影响:
$mypassword = stripslashes($mypassword);
$mypassword = mysql_real_escape_string($mypassword);
我有一个 checklogin.php:
<?php
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="database1"; // Database name
$tbl_name="users"; // Table name
$lastLogDate=date("l, m/d/y, h:i:sa");
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT password FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
$realpassword=mysql_result($result, 0);
define("ENCRYPTION_KEY", "!@#$%^&*");
function decrypt($encrypted_string, $encryption_key) {
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $encryption_key, $encrypted_string, MCRYPT_MODE_ECB, $iv);
return $decrypted_string;
}
$realpassword=decrypt($realpassword, ENCRYPTION_KEY);
if ($mypassword == $realpassword) {
session_register("myusername");
session_register("mypassword");
session_register("userid");
session_register("finalemail");
$sqldate="UPDATE userdata SET lastLog = '$lastLogDate' WHERE username = '$myusername'";
$resultdate=mysql_query($sqldate);
header("location:/home");
}
else {
echo "Wrong Username or Password<br>";
}
?>
有人用login.php登录时,输入的密码与解密后数据库中的密码相同,还是"wrong username or password"。我添加了一个回声来查看解密是否有效,但它正确返回。我创建了一个新帐户并尝试使用该帐户登录,并且成功了。这仅在我添加加密之前不适用于帐户,我只是自己加密了密码。也许这就是问题所在?
你的问题有两个方面。
首先,mcrypt 在编码之前用尾随的空字节填充您的数据(如果您不自己应用填充,例如 PKCS7);解码后你需要去除那些空字节:
$realpassword = rtrim($realpassword, "[=10=]");
其次,您不应该对密码使用加密;相反,使用 password hashing API; see this answer 作为示例。
可能旧密码受这些转换影响:
$mypassword = stripslashes($mypassword);
$mypassword = mysql_real_escape_string($mypassword);