测试代码:
if (isset($_GET['Username']) && isset($_GET['password'])) {
$logined = true;
$Username = $_GET['Username'];
$password = $_GET['password'];
if (!ctype_alpha($Username)) {$logined = false;}
if (!is_numeric($password) ) {$logined = false;}
if (md5($Username) != md5($password)) {$logined = false;}
if ($logined){
echo "successful";
} else {
echo "login failed!";
}
}
在做用户登录的时候常常会用到md5加密计算比较密码,md5后相等,就可以成功执行下一步语句,登录成功。但是这样做并不安全,因为 0e在比较的时候会将其视作为科学计数法,所以无论0e后面是什么,0的多少次方还是0。
md5开头是0e的字符串:
QNKCDZO: 0e830400451993494058024219903391
s878926199a: 0e545993274517709034328855841020
s155964671a: 0e342768416822451524974117254469
s214587387a: 0e848240448830537924465865611904
s214587387a: 0e848240448830537924465865611904
s878926199a: 0e545993274517709034328855841020
s1091221200a: 0e940624217856561557816327384675
解决方法:
使用全等 ===