以下代码来自使用PHP编写的登录脚本。检查密码的数据库使用MD5对密码进行加密,但是当登录脚本检查数据库的密码时,它将检查原始密码,而不加密。我熟悉md5()函数,但是我将如何将其纳入到以下内容中:
The code below is from a login script, written in PHP. The database that it checks passwords against encrypts the passwords using MD5 however when the login script checks against the database for a password, it is checking the raw password without encryption. I am familiar with the md5() function but how would I incorporate that into the following:
<?php session_start(); $username = $_POST['username']; $password = $_POST['password']; if ($username && $password) { $connect = mysql_connect("host", "user", "password") or die("Couldn't connect"); mysql_select_db("dbname") or die("Couldn't find the database"); $query = mysql_query("SELECT * FROM users WHERE username='$username'"); $numrows = mysql_num_rows($query); if ($numrows != 0) { while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; } if ($username == $dbusername && $password == $dbpassword) { echo "You're in! Click <a href='../member.php'>here</a> to enter the member page."; $_SESSION['username'] = $username; }else{ echo "Incorrect password"; } }else{ die("That username does not exist."); } }else{ die("Please enter a valid username and password."); } ?>推荐答案
您应该检查并查询数据库以进行匹配而不是将结果带回来,并在本地进行检查。这样说:
You should be checking and querying the database for a match, not bringing the results down and checking them locally. With that said:
$password = md5($_POST['password']);然后也更改:
SELECT * FROM users WHERE username='$username' AND password='$password'但我也可以看看使用 PDO ,而不是直接将值一个SQL查询。至少应该使用 mysql_real_escape_string 以避免注入攻击。
But I'd also have a look at using PDO instead of placing the values directly in a SQL query. At the very least you should be using mysql_real_escape_string to avoid injection attacks.
更多推荐
如何使用PHP加密MD5密码?
发布评论