如果临时密码与数据库上的密码匹配,请更新新密码

时间:2013-10-04 15:53:06

标签: php html mysql passwords

我有一个表格,其中一个字段为TempPass,对所有用户都是空白的。当用户请求更改密码而不是更新现有密码时,我的脚本会使用SHA将通过电子邮件发送给用户的临时密码添加到TempPass字段。以下行显示了更改:

$query = "UPDATE users SET TempPass=SHA('$p') WHERE UserID=$uid";

我在注册时使用以下行保存密码:

$password = md5(mysql_real_escape_string($_POST['password']));

以下是我的HTML文件:

<?php include "config.php"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="theStylesScripts/lostPassStyle.css" type="text/css" media="all" />
<title>Reset Password</title>
</head>

<body>
<?php

include("mailerClass/class.phpmailer.php");
include("mailerClass/class.smtp.php");

if (isset($_POST['submitted'])) { // Handle the form.
    if (empty($_POST['email'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your email address!</font></p>';
    }
    if (empty($_POST['temppass'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your temporary password!</font></p>';
    }
    if (empty($_POST['newpass'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your new password!</font></p>';
    }
    else {
        // Check for the existence of that email address.
        $query = "SELECT UserID FROM users WHERE EmailAddress='".  mysql_real_escape_string($_POST['email']) . "'";
        $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
        if (mysql_num_rows($result) == 1) {
            // Retrieve the user ID.
            list($uid) = mysql_fetch_array ($result, MYSQL_NUM);
        }
        else {
            echo '<p><font color="red" size="+1">The submitted email address does not match those on file!</font></p>';
            $uid = FALSE;
        }
    }
    if ($uid) { // If everything’s OK.
        // Make the query.
        $query = "THIS IS THE QUERY THAT WILL COMPARE THE USEREMAIL WITH THE TEMPORARY PASSWORD ASSIGNED AND EMAILED TO WHAT THE USER ENTERED IN THE FORM";
        $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
        if ("USEREMAIL WITH THE AUTO ASSIGNED TEMPORARY PASSWORD MATCHES WITH THE TEMPORARY PASSWORD ENTERED BY THE USER") { // If it ran OK.
            $query = "THIS IS THE QUERY THAT WILL UPDATE THE EXISTING PASSWORD WITH THE NEW PASSWORD ENTERED BY USER";
            $query = "SET TEMPPASS BACK TO NULL FOR THAT USERID";
            echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "Change Password" link.</h3>';
            mysql_close(); // Close the database connection.
            //include (‘./includes/footer.html’); // Include the HTML footer.
            exit();
        } else { // If it did not run OK.
            echo '<p><font color="red" size="+1">Your password could not be changed due to a system error. We apologize for any inconvenience.</font></p>';
        }
    }
    else { // Failed the validation test.
        echo '<p><font color="red" size="+1">Please try again.</font></p>';
    }
} // End of the main Submit conditional.
?>

<h1>Reset Your Password</h1>

<p>Enter your email address below and your password will be reset.</p>

<form action="resetPass.php" method="post">

<fieldset>

<p><b>Email Address:</b> <input type="email" name="email" size="20" maxlength="40" value="" /></p>
<p><b>Temporary Password:</b> <input type="text" name="temppass" size="20" maxlength="40" value="" /></p>
<p><b>New Password:</b> <input type="text" name="newpass" size="20" maxlength="40" value="" /></p>

</fieldset>

<div align="center"><input type="submit" name="submit" value="Create New Password" /></div>

<input type="hidden" name="submitted" value="TRUE" />

</form>

</div>
</body>
</html>

如何修改以下代码以实现我的目标:

if ($uid) { // If everything’s OK.
    // Make the query.
    $query = "THIS IS THE QUERY THAT WILL COMPARE THE USEREMAIL WITH THE TEMPORARY PASSWORD ASSIGNED AND EMAILED TO WHAT THE USER ENTERED IN THE FORM";
    $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
    if ("USEREMAIL WITH THE AUTO ASSIGNED TEMPORARY PASSWORD MATCHES WITH THE TEMPORARY PASSWORD ENTERED BY THE USER") { // If it ran OK.
        $query = "THIS IS THE QUERY THAT WILL UPDATE THE EXISTING PASSWORD WITH THE NEW PASSWORD ENTERED BY USER";
        $query = "SET TEMPPASS BACK TO NULL FOR THAT USERID";
        echo 'password changed';
        mysql_close(); // Close the database connection.
        exit();
    } else { // If it did not run OK.
        echo 'no change. error';
    }
}

另外,我应该以{{1​​}}格式保存新密码吗?

请注意:我很快会更新到md5

1 个答案:

答案 0 :(得分:1)

if ($uid) { // If everything’s OK.
    // Make the query.
    $query = "SELECT * FROM users WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."' AND TempPass='".mysql_real_escape_string($_POST['temppass'])."'";
    $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
    if (mysql_row_count($result)==1) { // If it ran OK.
        $query = "UPDATE users SET password=SHA2('".mysql_real_escape_string($_POST['newpass'])."',512) WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."'";
        $query = "UPDATE users SET TempPass='' WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."'";
        echo 'password changed';
        mysql_close(); // Close the database connection.
        exit();
    } else { // If it did not run OK.
        echo 'no change. error';
    }
}

将新密码存储在 MD5 中是不安全的,因为它已经cracked,使用SHA512之类的其他哈希。