我是codeigniter的新手并尝试编写安全代码来更改用户密码。请帮帮我
我的控制器功能
public function change_password()
{
$data = array( "main_content" => 'includes/memberadmin/memberadmin_cpass'
);
$this->load->view('includes/memberadmin/template',$data);
}
public function change_password_process()
{
$this->load->library('form_validation');
$this->form_validation->set_rules('old_password','Old Password','trim|required|min_length[4]|max_length[32]');
$this->form_validation->set_rules('password','Password','trim|required|min_length[4]|max_length[32]');
$this->form_validation->set_rules('password2','Reenter Password','trim|required|min_length[4]|max_length[32]|matches[password]');
if ($this->form_validation->run() == FALSE)
{
$this->change_password();
}else {
$this->load->model('membership_model');
$query=$this->membership_model->change_password();
$data = array( "main_content" => 'includes/memberadmin/memberadmin_cpass_process',
"query" => $query
);
$this->load->view('includes/memberadmin/template',$data);
}
我的模型功能是
function Change_password()
{
$this->db->select('id');
$this->db->where('username',$this->session->userdata('uname'));
$this->db->where('password',md5($this->input->post('old_password')));
$query=$this->db->get('memberadmin');
if ($query->num_rows() > 0)
{
$row = $query->row();
if($row->id==$this->session->userdata('uid'))
{
$data = array(
'password' => md5($this->input->post('password'))
);
$this->db->where('username',$this->session->userdata('uname'));
$this->db->where('password',md5($this->input->post('old_password')));
if($this->db->update('memberadmin', $data))
{
return "Password Changed Successfully";
}else{
return "Something Went Wrong, Password Not Changed";
}
}else{
return "Something Went Wrong, Password Not Changed";
}
}else{
return "Wrong Old Password";
}
}
实际上我的用户名和用户名存储在会话中,我尝试从表中获取用户名,并再次将返回的用户ID与会话用户ID匹配以获得额外的安全性,然后更改密码。
请让我知道我的代码是安全的还是我做错了什么。
答案 0 :(得分:1)
首先,您可以在匹配用户ID
时使用===代替==if($row->id===$this->session->userdata('uid'))
在更加安全的情况下,您可以在更新密码时在where子句中再添加一行
$this->db->where('username',$this->session->userdata('uname'));
$this->db->where('id',$this->session->userdata('uid'));
$this->db->where('password',md5($this->input->post('old_password')));