尝试从数据库检索密码 [英] Trying to retrieve password from database
问题描述
我在登录脚本上遇到了问题,即它无法从我提供的sql语句中成功提取密码数据.
I'm stuck on a problem with my login script that it will not successfully pull the password data from the sql statement I give it.
要求用户输入他们的电子邮件&密码,
The user is asked to enter their email & password,
<p><strong>Email: </strong><input type= "text" name= "email"></p>
<p><strong>Password: </strong><input type= "password" name= "password"></p>
通过POST,我从表单中获取他们键入的内容并将其放入sql语句中.
Through POST, I take what they typed from the form and put it into a sql statement.
$taremail = filter_input(INPUT_POST, 'email');
$tarpasswd = filter_input(INPUT_POST, 'password');
$sql = "SELECT email, password FROM members WHERE email = '".$taremail."'
AND password = PASSWORD('".$tarpasswd."')";
最后,我检查数据库,看看他们输入的电子邮件和密码是否确实在数据库中.
Finally, I check against the database to see if that email and password they typed in is actually in the database.
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
if(mysqli_num_rows($result) == 1){
setcookie("auth", "1", time()+60*30, "/", "", 0); //create cookie for the logged in user
$display = "<h2>You have successfully logged in!</h2>
<p>Click the link below to go to our main page</p>
<a href=\"main.php\">Main Page</a></br>
<a href=\"../login.html\">Log out</a>";
} else {
$display = "<h2>This account is not registered!</br>
Please make sure to register before trying to log in.</h2>
<a href=\"../register.html\">Register here!</a>
<a href=\"../login.html\">Login page</a>";
}
这要么返回给出的电子邮件和密码确实在数据库中,要么不在数据库中.很简单吧?
This either returns that the email and password given is indeed in the database or it's not. Simple enough right?
我的问题是它总是执行我的else{}语句,说我还没有注册.
My problem is that it always executes my else{} statement, saying that I have not registered.
我应该注意,在我的注册页面中,他们提供的密码是通过PASSWORD()方法输入的,因此它成为数据库中的哈希varchar. letmein = * D37C49F9CBEFBF8B6F4
I should note that in my registration page, the password they give is put through the PASSWORD() method, so it becomes a hashed varchar on the database... Ex. letmein = *D37C49F9CBEFBF8B6F4
推荐答案
所以我在为此设置的东西上运行测试,我想我发现了问题.真令人沮丧.
So I was running tests on something I set up for this, and I think I found the problem. This was frustrating.
http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html
从PASSWORD()函数的文档中:
From the docs on the PASSWORD() function:
为了容纳更长的密码散列,此时用户表中的密码"列已更改为41字节,即其当前长度."
"To accommodate longer password hashes, the Password column in the user table was changed at this point to be 41 bytes, its current length."
我的用户列中的密码字段仅存储25个字节,因此我的假密码'asdfasdf'的PASSWORD()产生了"* 1B1A59A0792309FDE6F1A8681D2B58C4F2639156",但是由于该原因,我的表仅存储了"* 1B1A59A0792309FDE6F1A868"存储空间.
My password field in my user column was only storing 25 bytes, so a PASSWORD() of my fake password 'asdfasdf' was yielding "*1B1A59A0792309FDE6F1A8681D2B58C4F2639156", but my table was only storing "*1B1A59A0792309FDE6F1A868" due to the lack of storage space.
我确定您可以猜测将两者进行比较的结果.
I'm sure you can guess the result of comparing those two.
这可能不是您的问题,但将来可能会帮助其他一些可怜的,破碎的人.
This may not be your problem but it could help some other poor, broken individual in the future.
这篇关于尝试从数据库检索密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
