I am making a php program for users to reset their password if they forget it and I am wondering how I should send the user the url to their email to click. I thought about encrypting their user id and decrypt it to know which user to update the password for but I am wondering if there is a better way.
for example: if the user id is 25 I would encrypt 25 to something like f63bfjf7eh3 then send the user an email containing a url such as http://example-domain.com/resetpass.php?code=f63bfjf7eh3 then decrypt that code when they click on the link and update the password to that user id.
sorry if this doesn't make sense I am not very good at explaining.
答案 0 :(得分:1)
˚F 在PHP中,您需要创建一个表,例如tbl_reset_pass
with fields id (unique, int(2), primary key and auto incremental), user_id (int(2), foreign key related with user table) and token (varchar)
当用户要求重设密码时,请通过电子邮件验证该请求等... 你应该生成一个令牌,这是一个编码的字符串,将用于发送链接,发送用户ID编码是不安全的
所以链接应该相同......
但在resetpass.php中 需要获得像
这样的代码$code = (!empty($_GET['code'))?base64_decode($_GET['code']):'';
然后您可以使用SQL查询,如...
SELECT * FROM tbl_reset_pass WHERE token = '$code';
获取重置密码的用户
如果上述查询的结果行数正好为1,那么您可以将用户重定向到更改密码页。
在SQL查询中使用它之前,不要忘记在$ code中使用MySQL转义工具,因为它可以包含SQL注入。
当用户更改新密码时,请从tbl_reset_pass
中删除记录答案 1 :(得分:0)
Make a unique hash using a good algorithm, such as SHA256. Needs to be unique, and unpredictable. Can use things like microtime(true), existing password hash (it is hashed right?). It is also good to have password reset