输入哈希重置密码而不是实际用户密码

时间:2014-10-05 16:28:45

标签: javascript php hash mysqli

我有一个更新密码页面,不允许我输入当前密码字段的实际当前密码。相反,它需要哈希密码。然而,一旦改变了,然后对新的那个进行哈希处理,这是一件好事。我只需要能够输入实际的密码而不是哈希。

是的,我知道,没有md5;这更适合测试。

changepassword.js

<script>
function validatePassword() {
var currentPassword,newPassword,confirmPassword,output = true;

currentPassword = document.frmChange.currentPassword;
newPassword = document.frmChange.newPassword;
confirmPassword = document.frmChange.confirmPassword;

if(!currentPassword.value) {
currentPassword.focus();
document.getElementById("currentPassword").innerHTML = "required";
output = false;
}
else if(!newPassword.value) {
newPassword.focus();
document.getElementById("newPassword").innerHTML = "required";
output = false;
}
else if(!confirmPassword.value) {
confirmPassword.focus();
document.getElementById("confirmPassword").innerHTML = "required";
output = false;
}
if(newPassword.value != confirmPassword.value) {
newPassword.value="";
confirmPassword.value="";
newPassword.focus();
document.getElementById("confirmPassword").innerHTML = "not same";
output = false;
}   
return output;
}
</script>   

updatepassword.php

<?php
    include 'core/login.php';    === this contains the connection, it's obviously good ===
    include 'includes/head.php';  === changepassword.js is linked in the head ===   
    if(count($_POST)>0) {
    $result = mysqli_query($link, "SELECT *from users WHERE id='" . $_SESSION["id"] . "'");
    $row = mysqli_fetch_array($result);
    if($_POST["currentPassword"] == $row["password"]) {
    mysqli_query($link, "UPDATE users set `password`='" .md5(md5($_POST['newPassword'])) . "' WHERE id='" . $_SESSION["id"] . "'");
    $message = "Password Changed";
    } else $errormessage = "Current Password is not correct";
    }
print_r($_SESSION);
?>

表单在同一页面上:

<div class="container">
            <div class="text-center">
                <h4>Change password below</h4>
            </div><br />

            <div class="message"><?php if(isset($message)) { echo $message; } ?></div>
            <div class="message"><?php if(isset($errormessage)) { echo $errormessage; } ?></div>

            <div class="col-md-4 col-md-offset-4">                                                      
                <form name="frmChange" method="post" action="" onSubmit="return validatePassword()">

                    <div class="form-group">
                        <label>Current Password*</label>  
                        <input type="text" name="currentPassword" class="form-control input-md" />
                    </div>
                    <div class="form-group">
                        <label>New Password*</label>  
                        <input type="text" name="newPassword" class="form-control input-md" />
                    </div>  
                    <div class="form-group">
                        <label>Confirm Password*</label>  
                        <input type="text" name="confirmPassword" class="form-control input-md" />
                    </div>                          
                    <br />                  
                    <div class="text-center"> 
                        <input type="submit" name="submit" class="btn btn-success" value="Submit" />        


                    </div>                                      
                </form>                 
            </div>
        </div>

2 个答案:

答案 0 :(得分:1)

你的问题在这里:

if($_POST["currentPassword"] == $row["password"]) {

您正在将哈希的实际文本版本(例如&#34;密码&#34;)与该密码的哈希版本进行比较(例如&#34; 213y789hwuhui1dh&#34;)。这评估为:

if("password" == "213y789hwuhui1dh") {

这显然永远不准确。解决问题所需要做的就是使用与创建密码时相同的方式对密码进行哈希处理。如果我理解你的代码,那应该是:

if(md5(md5($_POST["currentPassword"]))==$row["password"]) {

SQL注入的侧面注释

请注意,此代码非常容易注入。用户所要做的就是结束&#34; currentPassword&#34;使用'; SHOW DATABASE;的POST值,他们可以无限制地访问您服务器的MySQL数据库。考虑学习使用MySQLi准备语句。它们易于理解,易于实施。

答案 1 :(得分:0)

我太过分了。您的其他问题已经结束。 Juuuuust会离开这里...我正在使用PHP版PHP 5.2.0。

 
<?php

// so I don't actually have to test form submission, too... 
$_POST['current_password'] = 'Tacotaco'; 
$_POST['new_password']     = 'NINrocksOMG';
$_POST['confirmPassword']  = 'NINrocksOMG'; 
$_SESSION['id'] = 1;

// this is Tacotaco encrypted... update your db to test
// update users set password = '$2y$10$fc48JbA0dQ5dBB8MmXjVqumph1bRB/4zBzKIFOVic9/tqoN7Ui59e' where id=1


// the following is sooooo ugly... don't leave it this way 

if (!isset($_SESSION['id'])            or empty($_SESSION['id']) or
    !isset($_POST['current_password']) or empty($_POST['current_password']) or 
    !isset($_POST['new_password'])     or empty($_POST['new_password']) or 
    !isset($_POST['confirmPassword'])  or empty($_POST['confirmPassword']) ) {
   $message = 'Please enter your password';
}
else {
   $sid = $_SESSION['id'];

   $currpass = $_POST['current_password'];
   $newpass  = $_POST['new_password'];
   $conpass  = $_POST['confirmPassword'];

   $message  = validate_password($sid, $currpass, $newpass, $conpass);
}

print "<br/>$message<br/>";

function validate_password($sid, $currpass, $newpass, $conpass) {
   $mysqli = mysqli_connect('localhost','root','','test')
               or die('Error ' . mysqli_error($link));

   $stmt = $mysqli->prepare('select id, password from users where id = ?');
   $stmt->bind_param("s", $sid);
   $stmt->execute();
   $stmt->bind_result($userid, $userpass);

   $message = '';

   if ($stmt->fetch()) { 
      $stmt->close(); 

      if (strlen($newpass) < 8) {
         $message = 'Please enter a password with at least 8 characters';
      }
      elseif (!preg_match('`[A-Z]`', $newpass)) {
         $message = 'Please enter at least 1 capital letter';
      }
      elseif ($newpass !== $conpass) { 
         $message = 'Your passwords do not match.';
      }
      else {  
         if (password_verify($currpass, $userpass)) {  
            $hashed_new = password_hash($newpass, PASSWORD_BCRYPT);  
            $query = 'update users set password = ? where id = ?'; 
            $stmt_new = $mysqli->prepare($query); 

            $stmt_new->bind_param('ss', $hashed_new, $sid);
            if ($stmt_new->execute()) {
               $message = 'Password Changed';
            }
            else {
               $message = $mysqli->error;
            }
         }
         else $message = 'Current Password is not correct';
      }
   }
   else {
      $message = 'user not found for id $sid';
   }

   $mysqli->close(); 
   return $message;
}
?>