Php 使用密码\u散列时更改密码表单
所以我在用户注册中使用密码散列。所以现在我想让用户可以在需要时更改密码 在youtube上播放了无数视频后,我继续写了这篇文章Php 使用密码\u散列时更改密码表单,php,Php,所以我在用户注册中使用密码散列。所以现在我想让用户可以在需要时更改密码 在youtube上播放了无数视频后,我继续写了这篇文章 <?php session_start(); error_reporting(0); include("checklogin.php"); check_login(); include("dbconnection.php"); if(isset($_POS
<?php
session_start();
error_reporting(0);
include("checklogin.php");
check_login();
include("dbconnection.php");
if(isset($_POST['Change']))
{
$ret=mysqli_query($con,"SELECT * FROM user WHERE email = '".$_SESSION['login']."'");
$numrow = mysqli_num_rows($ret);
function console_log( $ret ){
echo '<script>';
echo 'console.log('. json_encode( $ret ) .')';
echo '</script>';
}
$num=mysqli_fetch_array($ret);
if($numrow>0)
{
// CHECK FOR PASSWORD MATCH
if(password_verify($_POST['oldpass'], $num['password']))
{
$hashed = password_hash($_POST[('newpass')], PASSWORD_DEFAULT);
$con = mysqli_query($con, "UPDATE user SET password ='".$hashed."' where email='".$_SESSION['login']."'");
$_SESSION['msg1']="Password Has Been Changed!";
}
else
{
$_SESSION['msg1']="Error, the Old Password doesn't match!";
}
}
}
?>
感谢您的帮助。谢谢,祝您度过愉快的一天。如评论中所述-您应该使用
准备好的语句,而不是直接在SQL中嵌入变量。除了减轻SQL注入攻击外,当字符串
可能有奇怪的字符,有时可能会打破传统的引号,并且密码可能有特殊字符
我希望下面的内容能对准备好的声明有所帮助
<?php
session_start();
error_reporting( E_ALL );
include 'checklogin.php';
include 'dbconnection.php';
# default values
$hash=false;
$message='Error, the Old Password does not match!';
# ensure the user knows the current password before changing
$sql='select `password` from `user` where `email`=? limit 1';
$stmt=$con->prepare( $sql );
$stmt->bind_param('s', $_SESSION['login'] );
$stmt->execute();
$stmt->bind_result( $hash );
$stmt->fetch();
if( $hash && password_verify( $_POST['oldpass'], $hash ) ){
# close old statement
$stmt->free_result();
$stmt->close();
# generate new hash
$hash=password_hash( $_POST['newpass'], PASSWORD_DEFAULT );
# the user has verified the old password, a new hash
# has been generated so allow them to change it.
$sql='update `user` set `password`=? where `email`=?';
$stmt=$con->prepare( $sql );
$stmt->bind_param( 'ss', $hash, $_SESSION['login'] );
$status=$stmt->execute();
if( $status && $stmt->affected_rows > 0 ) {
$message='Password has been changed!';
}
}
# set the session variable
$_SESSION['msg1']=$message;
?>
除非您明确知道可以,否则是否可以添加check\u login
功能。还有-为什么在尝试开发此功能时关闭错误报告?是的,这是检查登录功能,等等,对不起,我将把它添加到主帖子中。这里没有任何功能(除了控制台登录
)。。添加真实代码,否则会妨碍那些可能有助于错误报告的代码(0)代码>已关闭,请尝试错误报告(E_ALL)代码>用于开发-在执行使用变量作为输入的查询时,您还应该采用使用的做法
<?php
session_start();
error_reporting( E_ALL );
include 'checklogin.php';
include 'dbconnection.php';
# default values
$hash=false;
$message='Error, the Old Password does not match!';
# ensure the user knows the current password before changing
$sql='select `password` from `user` where `email`=? limit 1';
$stmt=$con->prepare( $sql );
$stmt->bind_param('s', $_SESSION['login'] );
$stmt->execute();
$stmt->bind_result( $hash );
$stmt->fetch();
if( $hash && password_verify( $_POST['oldpass'], $hash ) ){
# close old statement
$stmt->free_result();
$stmt->close();
# generate new hash
$hash=password_hash( $_POST['newpass'], PASSWORD_DEFAULT );
# the user has verified the old password, a new hash
# has been generated so allow them to change it.
$sql='update `user` set `password`=? where `email`=?';
$stmt=$con->prepare( $sql );
$stmt->bind_param( 'ss', $hash, $_SESSION['login'] );
$status=$stmt->execute();
if( $status && $stmt->affected_rows > 0 ) {
$message='Password has been changed!';
}
}
# set the session variable
$_SESSION['msg1']=$message;
?>
<?php
# checklogin.php
function check_login(){
if( !isset( $_SESSION ) or empty( $_SESSION['login'] ) ) exit( header('Location: /index.php'));
return true;
}
check_login();
?>