在PHP中更改密码的可靠方法是什么?
我的剧本应该是这样的:在PHP中更改密码的可靠方法是什么?,php,hash,passwords,Php,Hash,Passwords,我的剧本应该是这样的: 插入旧密码和密码 然后是新的佩剑 旧密码正在工作并已检查,但当我插入新密码时,代码无效。。。没有错误,就没有 以下是我目前掌握的代码: $user_p = $_SESSION['user']['username']; if(empty($_SESSION['user'])) { header("Location: live.php"); die("Redirecting to live.php"); } if(!empty($_
- 插入旧密码和密码
- 然后是新的佩剑
$user_p = $_SESSION['user']['username'];
if(empty($_SESSION['user']))
{
header("Location: live.php");
die("Redirecting to live.php");
}
if(!empty($_POST))
{
$currentPassword = preg_replace('/\s+/', '', $_POST['currentPassword']);
$newPassword = preg_replace('/\s+/', '', $_POST['newPassword']);
$oldpass = IrBuscarPassword($_SESSION['user']['username']);
$saltcode = IrBuscarSalt($_SESSION['user']['username']);
$formEncriptedPass = hash('sha256', $currentPassword . $saltcode);
for($round = 0; $round < 65536; $round++)
{
$formEncriptedPass = hash('sha256', $formEncriptedPass . $saltcode);
}
$changepass = False;
if($oldpass != $formEncriptedPass)
{
echo "Password NO-OK.";
//die();
}
else
{
if($newPassword == '')
{
$_SESSION['error'] = " The field E-mail is empty.</span></div>";
}
else
{
if($newPassword == '' || !isset($newPassword))
{
$changepass = False;
}
else
{
$changepass = True;
atualizarMail($newPassword, $_SESSION['user']['username']);
}
}
}
if(!isset($currentPassword) || ($currentPassword == ''))
{
$_SESSION['error'] = " The Password field is empty.</span></div>";
}
$password = hash('sha256', $_POST['currentPassword'] . $saltcode);
if($changepass == False)
{
$_SESSION['error'] = "<br/>New Password.</span></div>";
}
if($_POST['newPassword'] != $_SESSION['user']['username'])
{
$query = "
SELECT
1
FROM users
WHERE
password = :newPassword
";
$query_params = array(
':newPassword' => $_POST['newPassword']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
}
if(!empty($_POST['newPassword']))
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['newPassword'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
}
else
{
$password = null;
$salt = null;
}
if(isset($_SESSION['error']))
{
echo $_SESSION['error'];
$_SESSION['error'] = null;
}
else
{
$_SESSION['user']['password'] = $_POST['newPassword'];
$_SESSION['success'] = " The password has been successfully changed..</span></div>";
header("Location: password.php");
die("Redirecting to logout.php");
}
}
$user\u p=$\u会话['user']['username'];
if(空($\u会话['user']))
{
标题(“位置:live.php”);
die(“重定向到live.php”);
}
如果(!空($\u POST))
{
$currentPassword=preg_replace('/\s+/','',$\u POST['currentPassword']);
$newPassword=preg_replace('/\s+/','',$\u POST['newPassword']);
$oldpass=IrBuscarPassword($_会话['user']['username']);
$saltcode=irbuscarsate($_会话['user']['username']);
$formEncriptedPass=hash('sha256',$currentPassword.$saltcode);
对于($round=0;$round<65536;$round++)
{
$formEncriptedPass=hash('sha256',$formEncriptedPass.$saltcode);
}
$changepass=False;
如果($oldpass!=$formEncriptedPass)
{
回显“密码不正确。”;
//模具();
}
其他的
{
如果($newPassword=='')
{
$\u会话['error']=“电子邮件字段为空。”;
}
其他的
{
如果($newPassword=''||!isset($newPassword))
{
$changepass=False;
}
其他的
{
$changepass=True;
atualizarMail($newPassword,$_SESSION['user']['username']);
}
}
}
如果(!isset($currentPassword)| |($currentPassword=='')
{
$\u会话['error']=“密码字段为空。”;
}
$password=hash('sha256',$\u POST['currentPassword'].$saltcode);
如果($changepass==False)
{
$\u会话['error']=“
新密码。”;
}
如果($\u POST['newPassword']!=$\u会话['user']['username']))
{
$query=”
挑选
1.
来自用户
哪里
密码=:newPassword
";
$query_params=数组(
“:newPassword'=>$\u POST['newPassword']
);
尝试
{
$stmt=$db->prepare($query);
$result=$stmt->execute($query\u参数);
}
捕获(PDO异常$ex)
{
die(“无法运行查询:”..ex->getMessage());
}
$row=$stmt->fetch();
}
如果(!空($\u POST['newPassword']))
{
$salt=dechex(兰特02147483647))。dechex(兰特02147483647));
$password=hash('sha256',$\u POST['newPassword'].$salt);
对于($round=0;$round<65536;$round++)
{
$password=hash('sha256',$password.$salt);
}
}
其他的
{
$password=null;
$salt=null;
}
如果(isset($\u会话['error']))
{
echo$_会话['error'];
$\u会话['error']=null;
}
其他的
{
$\会话['user']['password']=$\发布['newPassword'];
$\u会话['success']=“密码已成功更改…”;
标题(“Location:password.php”);
die(“重定向到logout.php”);
}
}
有人能帮我吗?您的代码有很多问题,很难阅读/理解。一些例子:
- 如果($newPassword=='')
- 您可以在一个函数中执行不同的操作
atualizarMail()
- 你的散列函数是不安全的,不是未来的证明。它至少在3个地方实施。储存盐可能会容易得多
- 密码不应经过消毒,只应经过验证(无
)preg\u replace()
- 如果($\u POST['newPassword']!=$\u SESSION['user']['username'])这一行没有多大意义
- 有太多级别的
语句,再加上使用状态if
(难以阅读,容易出错)$changepass
- 查询
可能永远不会获取任何数据,因为只有散列存储在数据库中SELECT 1 FROM users WHERE password=:newPassword
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
第二个函数password_verify()可用于登录以及检查旧密码是否匹配
另一个技巧是,在脚本开始时验证所有输入,如果出现任何问题,立即重定向。执行验证后,不要再次检查无效输入,只需使用它。
插入新密码
在哪里?我在这里没有看到任何insert查询。代码中根本没有insert
语句…是的,但在函数中,不是在函数中。。。“------>atzarmail