用户密码是否已经哈希和盐渍,试图允许用户更改前端的密码?

时间:2015-11-12 14:02:26

标签: javascript php mysql

首先密码更改工作正常,但是当我添加hash和salt时,用户无法更改密码 (继续获取:当前密码不正确)

if (count($_POST)>0) {
$result = mysql_query("SELECT * from users WHERE username='"
.$_SESSION["user"] . "'");
$row=mysql_fetch_array($result);

    if($_POST["currentPassword"] == $row["password"]) {
mysql_query("UPDATE users set password='" . $_POST["newPassword"] . "'  
WHERE username='" . $_SESSION["user"] . "'");
$message = "Password Changed";

}   else $message = "Current Password is not correct";
}

这是注册页面:

session_start();
    if($_SESSION['user']!=''){header("Location:welcome.php");}
$dbh=new PDO('mysql:dbname=doctor;localhost', 'root', '');
$email=$_POST['mail'];
$password=$_POST['pass'];

    if(isset($_POST) && $email!='' && $password!=''){
$sql=$dbh->prepare("SELECT id,password,psalt FROM users WHERE 
username=?");
$sql->execute(array($email));
      while($r=$sql->fetch()){
$p=$r['password'];
$p_salt=$r['psalt'];
$id=$r['id'];
}
$site_salt="mysalt";/
$salted_hash = hash('sha256',$password.$site_salt.$p_salt);

    if($p==$salted_hash){
    $_SESSION['user']=$id;
    header("Location:welcome.php");
       }else{
 echo "Username OR Password is Incorrect...";
}
}

这是JavaScript:

function validatePassword() {
var currentPassword,newPassword,confirmPassword,output = true;

currentPassword = document.frmChange.currentPassword;
newPassword = document.frmChange.newPassword;
confirmPassword = document.frmChange.confirmPassword;

if(!currentPassword.value) {
currentPassword.focus();
document.getElementById("currentPassword").innerHTML = "required";
output = false;
}
else if(!newPassword.value) {
newPassword.focus();
document.getElementById("newPassword").innerHTML = "required";
output = false;
}
else if(!confirmPassword.value) {
confirmPassword.focus();
document.getElementById("confirmPassword").innerHTML = "required";
output = false;
}
if(newPassword.value != confirmPassword.value) {
newPassword.value="";
confirmPassword.value="";
newPassword.focus();
document.getElementById("confirmPassword").innerHTML = "not same";
output = false;
}   
return output;
}

1 个答案:

答案 0 :(得分:0)

假设 是具有该用户名的用户,则第一个脚本出现问题:

if($_POST["currentPassword"] == $row["password"])

这会将表单($_POST["currentPassword"])中的原始密码与结果($_POST["currentPassword"])中的哈希密码进行比较。您需要做的是比较两个密码的哈希表单。您需要使用您在存储用户密码之前使用的相同哈希函数哈希表单中的哈希值。

相关问题
最新问题