我的脚本应该是这样工作的:
- 插入旧密码并
- 然后是新通行证
旧密码有效并已检查,但当我插入新密码时,代码不起作用。。。没有错误,什么都没有。。。
这是我迄今为止的代码:
$user_p = $_SESSION['user']['username'];
if(empty($_SESSION['user']))
{
header("Location: live.php");
die("Redirecting to live.php");
}
if(!empty($_POST))
{
$currentPassword = preg_replace('/'s+/', '', $_POST['currentPassword']);
$newPassword = preg_replace('/'s+/', '', $_POST['newPassword']);
$oldpass = IrBuscarPassword($_SESSION['user']['username']);
$saltcode = IrBuscarSalt($_SESSION['user']['username']);
$formEncriptedPass = hash('sha256', $currentPassword . $saltcode);
for($round = 0; $round < 65536; $round++)
{
$formEncriptedPass = hash('sha256', $formEncriptedPass . $saltcode);
}
$changepass = False;
if($oldpass != $formEncriptedPass)
{
echo "Password NO-OK.";
//die();
}
else
{
if($newPassword == '')
{
$_SESSION['error'] = " The field E-mail is empty.</span></div>";
}
else
{
if($newPassword == '' || !isset($newPassword))
{
$changepass = False;
}
else
{
$changepass = True;
atualizarMail($newPassword, $_SESSION['user']['username']);
}
}
}
if(!isset($currentPassword) || ($currentPassword == ''))
{
$_SESSION['error'] = " The Password field is empty.</span></div>";
}
$password = hash('sha256', $_POST['currentPassword'] . $saltcode);
if($changepass == False)
{
$_SESSION['error'] = "<br/>New Password.</span></div>";
}
if($_POST['newPassword'] != $_SESSION['user']['username'])
{
$query = "
SELECT
1
FROM users
WHERE
password = :newPassword
";
$query_params = array(
':newPassword' => $_POST['newPassword']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
}
if(!empty($_POST['newPassword']))
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['newPassword'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
}
else
{
$password = null;
$salt = null;
}
if(isset($_SESSION['error']))
{
echo $_SESSION['error'];
$_SESSION['error'] = null;
}
else
{
$_SESSION['user']['password'] = $_POST['newPassword'];
$_SESSION['success'] = " The password has been successfully changed..</span></div>";
header("Location: password.php");
die("Redirecting to logout.php");
}
}
有人能帮我吗?
您的代码有很多问题,很难阅读/理解。一些例子:
- 你一次又一次地检查相同的东西
if($newPassword == '') - 您在一个函数
atualizarMail()中执行不同的操作 - 你的散列函数是不安全的,不能经得起未来的考验。它至少在3个地方实施。储存盐可以容易得多
- 密码不应被清除,只应进行验证(无
preg_replace()) - 线
if($_POST['newPassword'] != $_SESSION['user']['username'])没有多大意义 if语句的级别太多,再加上使用状态$changepass(难以阅读,容易出错)- 查询
SELECT 1 FROM users WHERE password = :newPassword希望永远不会获取任何数据,因为只有散列存储在数据库中
我希望我能指出,为什么我建议从头开始,看完一个好的教程。也许我可以给你一些开始宽度的想法:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
第二个函数password_verify()既可以用于登录,也可以用于检查旧密码是否匹配。
另一个技巧是,在脚本开始时验证所有输入,如果出现任何问题,请立即重定向。进行验证后,不要再次检查无效输入,只需使用它。