防止用户使用相同的用户名 [英] Prevent users from having the same username
问题描述
在进行一些测试时,我刚刚在代码中发现了一个相当大的漏洞,
I have just found a pretty major vulnerability in my code while doing some testing,
基本上,如果我的用户名是"admin",密码是"12345" ...并且用户加入并选择了名称"Admin"和相同的密码"12345"当他(她)登录时,它们将出现在我网站上的帐户中.正如您可以想象的那样,我创建了一个漏洞,因为这会影响网站上的每个潜在用户.
Basically if my username was "admin" and password was say "12345"... and a user joined with and chose the name "Admin" and the same password "12345" when he/she goes to login they will be in my account on the website, As you can imagine I have created quite a flaw, as this would affect every potential user on the site.
所以,我的问题是我可以在此语句中进行哪些更改以使其检查是否完全匹配.
So, my question is what can I change in this statement to make it check for an EXACT match.
WHERE login_name ='$user' AND user_password ='$pass' LIMIT 1";
在这里login_process.php文件
Heres the login_process.php file
<?php
require_once("includes/session.php");
$connection = mysql_connect("localhost", "user", "password");
if(!$connection)
{
die("Database connection failed: " . mysql_error());
}
$db_select = mysql_select_db("game", $connection);
if(!$db_select)
{
die("Database selection failed: " . mysql_error());
}
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
$pass = sha1($pass);
// Need to make a change to the below query, as it doesn't match for case sensitivity.
$query = "SELECT user_id, user_name, user_level FROM users WHERE login_name ='$user' AND user_password ='$pass' LIMIT 1";
$result=mysql_query($query);
if(mysql_num_rows($result) == 1)
{
$found_user = mysql_fetch_array($result);
$_SESSION['user_id'] = $found_user['user_id'];
$_SESSION['user_name'] = $found_user['user_name'];
$_SESSION['user_level'] = $found_user['user_level'];
header("Location: index.php");
}
else
{
echo "The username or password you entered was incorrect. <br/> Please click <a href='login.php'>Here</a> to try again.";
}
?>
推荐答案
数据库的默认排序规则不区分大小写.因此用户admin和Admin或adMin是相同的.创建用户时,请检查数据库是否已经存在相同的用户名.
the default collation of database is case insensitive . so the user admin and Admin or adMin are the same. While creating user check the database whether same username already exist or not.
似乎您正在使用区分大小写的排序规则.您可以对该用户表使用不区分大小写的排序规则,以便您的查询正常运行.
it seems that you are using case sensitive collation.. you can use case insensitive collation for that user table so that your query will work fine.
或
在创建用户并检查数据库中是否存在重复条目时,请使用 LCASE
函数,如下所示
while creating user and checking the database for duplicate entry use LCASE
function as follows
SELECT * FROM USERS WHERE LCASE(username) = 'admin'
这篇关于防止用户使用相同的用户名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!