无法弄清楚我做错了什么? PHP脚本重置密码

时间:2015-09-18 15:59:45

标签: php mysql passwords

我几乎可以使用一切,下面你可以找到我已经完成的步骤,并且已经有效了。

步骤1)向想要重置密码的用户的电子邮件发送电子邮件(带有创建的令牌)

步骤2)用户点击提供的令牌链接并重定向到重置密码表单

问题

步骤3)要重置密码,需要填写新密码并按下重置按钮。发生的事情是一切都按计划进行但数据库没有更新?我检查了它是否与密码哈希和盐有关,但我现在不知道它与它有什么关系吗? 注册我的脚本时,它会创建一个64字节的十六进制密码和8字节的六角形盐。 现在,当我使用相同的代码时,在重置密码脚本中,它会创建一个255字节十六进制的密码哈希,并且还会创建一个比注册表更大的盐。

您可以在下面找到代码:

------------- DATABASE -------------

`password` char(64) COLLATE utf8_unicode_ci NOT NULL,

`salt` char(16) COLLATE utf8_unicode_ci NOT NULL,

------------- PHP重置密码-------------

require("connect.php");

$ key = trim($ _ GET ['key']);

$stmt = $db->prepare('SELECT resetToken, resetComplete FROM members WHERE resetToken = :token');
$stmt->execute(array(':token' => $key));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

//if no token from db then kill the page
if(empty($row['resetToken'])){
    echo 'Invalid token provided, please use the link provided in the reset email.';
} elseif($row['resetComplete'] == 'Yes') {
    echo 'Your password has already been changed!';
}

if (!empty($_POST)) {
    if (empty($_POST['password'])) { 
        echo "Please enter a password!";
        exit();
    } 

    if (empty($_POST['retype'])) { 
        echo "Please retype password!";
        exit();
    } 

    if ($_POST['password'] != $_POST['retype']) { 
        echo "Password doesn't match!";
        exit();
    } 

    $query = "UPDATE members SET password = :password, salt = :salt, resetComplete = 'Yes'  WHERE resetToken = :token";
    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
    $password = hash('sha256', $_POST['password'] . $salt); 
    for ($round = 0; $round < 65536; $round++) { 
        $password = hash('sha256', $password . $salt); 
    }

    $query_params = array(  
        ':password' => $password, 
        ':salt' => $salt, 
        ':token' => $row['resetToken']
    ); 

    try { 
        // Execute the query to create the user 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    } catch(PDOException $ex) { 
        die("Failed to run query");
    }

    echo "Change password success";
}

0 个答案:

没有答案