Php 更改密码结构而不影响当前用户
我正在寻找一些关于更新密码系统的最佳实践的帮助或建议。不久前,我使用php构建了一个登录系统(在我真正知道我在做什么之前),它所做的只是使用sha1加密密码,我知道这不安全,也不适合使用 所以基本上成功登录后,它所做的就是Php 更改密码结构而不影响当前用户,php,login,Php,Login,我正在寻找一些关于更新密码系统的最佳实践的帮助或建议。不久前,我使用php构建了一个登录系统(在我真正知道我在做什么之前),它所做的只是使用sha1加密密码,我知道这不安全,也不适合使用 所以基本上成功登录后,它所做的就是 $password = sha1($password1) 我想使用我最近使用的另一种方法,即使用CRYPT_BLOWFISH函数,如下所示: function generateHash($password_1){ if(defined("CRYPT_BLOWFIS
$password = sha1($password1)
function generateHash($password_1){
if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
//echo "WE HAVE CRYPT BLOWFISH YAYA";
$salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password_1, $salt);
}//End If
}//End Function generateHash*/
$hashed_password = crypt($password_1, $entered_password)
if($hashed_password != $enter_password){
$error['password'] = 'The password or username you entered is incorrect.';
}else{
'Your Good to Go!'
}
谢谢您可以在用户表中创建新列,例如密码,新密码
当用户登录时,您可以使用新算法对密码进行哈希运算,并将其保存在newPassword列中。
几天后,将列newPassword重命名为password
感谢Cvetomir的想法。所以我所做的就是在表中创建一个名为encrypted_password的新列,基本上,所有新注册都将使用CRYPT_BLOWIFSH进行加密 因此,基本上我的解决方案(不确定它有多优雅,但它可以工作)会查看每个密码。如果输入的密码与SHA1密码匹配,则获取发布的密码并将其加密为新格式,然后将其添加到数据库中 一旦“加密密码”列被更新,那么我将删除旧的密码列无论如何,我很高兴听到一些想法/建议,以使其更好,但现在它的工作,在这一个大量的尝试和错误
if(!$errors && $username == $teacher_row['username']){
if($_POST['password1'] != ''){
$old_password = filter_var($_POST['password1']);
$old_password = sha1($old_password);
//If the old SHA1 Password does not match anything in the database then try and match it with our new method
if($old_password != $teacher_row['password1']){
//New Password will be the $_POST Password
$new_password = $_POST['password1'];
//Grab the new column
$user_password = $teacher_row['encrypted_password'];
//Uncrypt the password to see if they match
$hashed_password = crypt($new_password, $user_password);
//If it doesn't match throw an error
if($hashed_password != $user_password){
$errors['username'] = 'The username or password you entered is incorrect.';
}//If Hashed Password != User password
else{
if($hashed_password == $user_password){
//The New Password does match and gain your session
session_regenerate_id();
//Create our session on session_id and hash it as well
$session_id = generateHash($id)
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}
}else{
$encrypted_password = generateHash($_POST['password1']);
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){ die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $new_password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){ die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){ die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
}
}
else{ //The Old Passwords Must Match
$password = generateHash($_POST['password1']);
//$errors['username'] = 'Password Correct '.$_POST['password1'].' and '.$password.'';
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){
die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
//The New Hashed password does match We are good
session_regenerate_id();
//Create our session on session_id
$session_id=generateHash($dhl_id);
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}//End the old Passwords do match
}//If password is not Blank
else{
$errors['username'] = 'You must enter a password';
}
}
}
您可以检查密码的长度,sha1应该正好是40个字符长,如果是40个字符长,则使用旧方法并将其指向更改密码页面,否则使用新方法。您的表是否有插入的日期列字段?是的,我有自动时间戳列