更改密码系统

时间:2014-05-29 05:27:08

标签: php mysql passwords

我的更改密码页面出现问题。当我尝试更改密码时,即使密码错误,页面也不会显示消息$oldpassword_error = 'Wrong password';

<?php
$page = "Change Password";
require_once "session.php";
include "header.php";

$oldpassword_error = '';
$newpassword_error = '';
$retypepassword_error = '';

if(isset($_POST["change"])){

$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$oldpassword = $_POST['oldpassword'];
$oldpassword_hash = crypt($oldpassword, '$2a$' . $cost . '$' . $salt . '$');
$newpassword = $_POST['newpassword'];
$newpassword_hash = crypt($newpassword, '$2a$' . $cost . '$' . $salt . '$');
$retypepassword = $_POST['retypepassword'];
$id = 0;

if(empty($oldpassword)){
    $oldpassword_error = 'Please insert the current password';
}
elseif(!empty($oldpassword)){

        $stmt = $mysqli -> prepare('SELECT id FROM user WHERE password = ?');
        $stmt -> bind_param("s", $oldpassword_hash);
        $stmt -> execute();
        $stmt -> bind_result($id);
        $stmt -> fetch();

    if($id){
        $oldpassword_error = 'Wrong password';
    }
}
if(empty($newpassword)){
    $newpassword_error = 'Please insert the new password';
}
elseif(strlen($newpassword) < 8 ){
    $newpassword_error = 'The new password must have 8 or more characters';
}
elseif(strlen($newpassword) > 16 ){
    $newpassword_error = 'The new password must have less than 16 characters';
}
if(empty($retypepassword)){
    $retypepassword_error = 'Please confirm the new password';
}
elseif(($retypepassword) !== ($newpassword)){
    $retypepassword_error = 'The new passwords did not match';
}
}
 if(empty($oldpassword_error)&& empty($newpassword_error)&&   empty($retypepassword_error)&& isset($_POST['change'])){

    $stmt = $mysqli -> prepare('UPDATE user SET password = ? WHERE username = ?');
    $stmt -> bind_param("ss", $newpassword_hash, $_SESSION['username']);
    $stmt -> execute();
?>
<div id="message">
    <?php echo 
        "Password Changed<br><br>
        Click <a href='control-painel.php'>here</a> to return to your control panel. ";
    ?>
</div>
<?php
}
else{
?>

<div class="message">
    <br><br>
    <?php echo $oldpassword_error; ?><br><br>
    <?php echo $newpassword_error; ?><br><br>
    <?php echo $retypepassword_error; ?><br><br>
    <br><br>
</div>
<div id="form" class="bradius">
    <div class="content">
        <form method="post">
            <label>Old password: </label>
            <input type="password" name="oldpassword" class="text bradius">
            <label>New password: </label>
            <input type="password" name="newpassword" class="text bradius">
            <label>Confirm new password: </label>
            <input type="password" name="retypepassword" class="text bradius">
            <input type="submit" class="submitbutton bradius" name="change" value="Change password">
        </form>
    </div>
</div>

 <?php
  }
 include "footer.php";
 ?>

1 个答案:

答案 0 :(得分:0)

我知道这不是您问题的直接答案,但它会/应该改变工作流程。

您的示例中的方案 对于存储密码是安全的,因为您使用的是常量salt。一个恒定的盐允许构建一个彩虹表来一次性获取所有密码,这就是为每个密码必须唯一的盐。

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

使用上面的代码,您将获得具有唯一salt的BCrypt哈希,但结果是您无法进行查询并搜索密码哈希。在第一步中,您必须使用用户名进行查询以获取存储的密码哈希,然后在第二步中将其与输入的密码进行比较:

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

P.S。数据库字段通常太短,应该能够容纳60个字符的字符串。