PHP MD5密码加密和数据库输入

Question

我已经建立了一个简单的注册表，如下所示，我正在尝试让用户加密他们的密码，然后进入我的数据库。我正在尝试使用md5加密。我还附加了数据库连接脚本。

我的问题是表单不能完全处理。

我知道这可能是一个非常非常简单的修复方法。我只是被困在这一点上。

我真的很感谢你的帮助。

<?php
error_reporting(0);
if($_POST['submit'])
{ //Begining of full IF Statment
$name = $_POST['name'];
$username = $_POST['username'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
// Encrypt Pasword
$enc_password = md5($password);
//$enc_password2 = md5($confirm_password);


// Confirm All feild were filled out when submit button was pressed
if($name && $username && $password && $confirm_password) 
{
// Confirm that the NAME that you used is NOT greater than 30 characters     
     if(strlen($name)>24)
     {
     echo "<h2><center>YOUR NAME IS TOO LONG!!!!</center></h2><br>";
     }
// Confirm that the USERNAME that you used is NOT greater than 10 characters        
    if(strlen($username)>10)
     {
     echo "<h2><center>YOUR USERNAME IS TOO LONG!!!!</center></h2><br>";
     }
     else {

// Confirm that the PASSWORD that you used MATCH & Between 6 and 15 characters   
        if(strlen($password)>10 || strlen($password)<6)
         {
         echo "<h2><center>YOUR PASSWORD MUST BE BETWEEN 6 and 15          CHARACTERS!!!!</center></h2><br>";
         }
        if($password == $confirm_password)
        {
        // Database Connection required
        require "db_conncect.php";
        // We Now connect to the Dabase and insert the Form input details
        //------- ### ENTERING ALL INFORMATION INTO THE DATABASE BELOW ### --------// 


// 1. Create a database connection
$con = mysql_connect("localhost","root",""); // <-- THIS IS WHERE YOU " CAN CHANGE " THE USERNAME IS "root", PASSWORD IS "" ONLY.

if (!$con) {
  die('Database connection failed could not connect: ' . mysql_error());
  }

// 2. Select a database to use
$db_select = mysql_select_db("registernow_2012",$con); // <-- THE "registernow_2012" IS     THE NAME OF THE DATABASE.
if (!$db_select) {
  die('Database selection failed could not connect: ' . mysql_error());
}

mysql_select_db("registernow_2012", $con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE TO BE CONNECTED.

    // <-- THE `registernow_2012` IS THE NAME OF THE DATABASE TO BE CONNECTED....     `visitors` IS THE TABLE WITH ALL THE FIELDS WITHI IN THE DATABASE.


$sql="INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` ,
`$enc_password` , `confirm_password`    )
VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";


if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
}

// 3. Close Connection
mysql_close($con);

header("Location: index.php");  // <-- THIS IS WHERE YOU CAN CHANGE THE "Location: Thank you / Index page" of the THANK YOU PAGE.       

        }
    else 
    {
    echo "<h2><center>PASSWORDS MUST MATCH!!!!!</center></h2><br>";
    }   

     }

    //echo "<h2><center>WORKING!!!!</center></h2>";
}   
else echo "<h2><center>ALL FEILDS MUST BE COMPLETED</center></h2>";

} //Ending of full IF Statment
?>

<!DOCTYPE html>
<html lang='en'>
    <head>
        <title>THE FORM MY WAY NOW</title>
    </head>
<body>
<div id='centerstage'>
    <form name="myform" action="workingitoutproperly.php" method="POST">
      <p>
        <label>Name</label><br>
        <input type='text' name='name' value=''><br>
        <label>UserName</label><br>
        <input type='text' name='username' value=''><br>
        <label>Password</label><br>
        <input type='password' name='password' value=''><br>
        <label>Re-Enter Password</label><br>
        <input type='password' name='confirm_password' value=''><br>
        <br>
        <input type='submit' name='submit' value='REGISTER NOW!!'>
    </p>
</form>
</div>
</body>

​

Answer 1

这一行是你问题的根源。

 $sql="INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `$enc_password` , `confirm_password`    ) VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";

让我们来分析一下：

首先，我们需要从字段名中删除一个杂乱的$：

INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `$enc_password` , `confirm_password`
//                                                                   ^^^ Remove me!

接下来，我们需要转义我们的输入(除非您希望从Bobby Tables访问)：

NULL , '".mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['username'])."', '$enc_password', '".mysql_real_escape_string($_POST['confirm_password'])."')

因此，最后一行将如下所示：

$sql = "
  INSERT INTO `registernow_2012`.`users`
    (`id` , `name` , `username` , `enc_password` , `confirm_password`)
  VALUES
    (NULL , '".mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['username'])."', '$enc_password', '".mysql_real_escape_string($_POST['confirm_password'])."')
";

Answer 2

1. You在$enc_password insert 语句的列列表中使用了。它应该是保存加密密码的列的名称。不是encrypted password.If的值，加密密码列的名称是encrypted_password put encrypted_password in column list，而不是$enc_password

插入到registernow\_2012中。users (id，name，username，encrypted\_password，confirm\_password )

• 始终清理用户输入。不要直接在查询中使用它们，这将允许攻击者注入任意SQL。至少对mysql数据库使用mysql_real_escape_string。

$name =mysql_real_escape_string($_POST‘’name‘)；$username =mysql_real_escape_string($_POST’$username‘)；$password = mysql_real_escape_string($_POST'password');

• the加密密码的值不应为[$enc_password]。不要用正方形的胸罩围着它。应该是$enc_password。

username“INSERT INTO username。users (id，name，username，encrypted\_password，confirm\_password) VALUES (NULL，'$name'，'$username'，'$enc_ password '，'$password')";

• Its最好使用种子加密密码并使用其它散列，如sha1

$enc_password = sha1($password."my_secret_seed");

Answer 3

你得到这个错误是因为你有(为了可读性重新格式化代码)：

$sql = "INSERT INTO `registernow_2012`.`users` " .
       "(`id` , `name` , `username` , `$enc_password` , `confirm_password`    ) " .

您正在使用编码口令作为列名

       "VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";

并且将编码后的密码放在变量的方括号中。

但是，这段代码存在大量的安全问题。

MD5不再是安全的和Bobby would have a field day的。

按照the OWASP password storage rules和ese prepared statements and parameterized queries访问数据库。