我的脚本应该是这样的:
旧密码正在运行并检查但是当我插入新密码时,代码无效......没有错误,没有...
这是我到目前为止的代码:
$user_p = $_SESSION['user']['username'];
if(empty($_SESSION['user']))
{
header("Location: live.php");
die("Redirecting to live.php");
}
if(!empty($_POST))
{
$currentPassword = preg_replace('/\s+/', '', $_POST['currentPassword']);
$newPassword = preg_replace('/\s+/', '', $_POST['newPassword']);
$oldpass = IrBuscarPassword($_SESSION['user']['username']);
$saltcode = IrBuscarSalt($_SESSION['user']['username']);
$formEncriptedPass = hash('sha256', $currentPassword . $saltcode);
for($round = 0; $round < 65536; $round++)
{
$formEncriptedPass = hash('sha256', $formEncriptedPass . $saltcode);
}
$changepass = False;
if($oldpass != $formEncriptedPass)
{
echo "Password NO-OK.";
//die();
}
else
{
if($newPassword == '')
{
$_SESSION['error'] = " The field E-mail is empty.</span></div>";
}
else
{
if($newPassword == '' || !isset($newPassword))
{
$changepass = False;
}
else
{
$changepass = True;
atualizarMail($newPassword, $_SESSION['user']['username']);
}
}
}
if(!isset($currentPassword) || ($currentPassword == ''))
{
$_SESSION['error'] = " The Password field is empty.</span></div>";
}
$password = hash('sha256', $_POST['currentPassword'] . $saltcode);
if($changepass == False)
{
$_SESSION['error'] = "<br/>New Password.</span></div>";
}
if($_POST['newPassword'] != $_SESSION['user']['username'])
{
$query = "
SELECT
1
FROM users
WHERE
password = :newPassword
";
$query_params = array(
':newPassword' => $_POST['newPassword']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
}
if(!empty($_POST['newPassword']))
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['newPassword'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
}
else
{
$password = null;
$salt = null;
}
if(isset($_SESSION['error']))
{
echo $_SESSION['error'];
$_SESSION['error'] = null;
}
else
{
$_SESSION['user']['password'] = $_POST['newPassword'];
$_SESSION['success'] = " The password has been successfully changed..</span></div>";
header("Location: password.php");
die("Redirecting to logout.php");
}
}
有人可以帮助我吗?
答案 0 :(得分:0)
您的代码存在许多问题,难以阅读/理解。一些例子:
if($newPassword == '') atualizarMail() preg_replace())if($_POST['newPassword'] != $_SESSION['user']['username'])行没有多大意义。if语句的级别太多,加上使用状态$changepass(难以阅读,容易出错)SELECT 1 FROM users WHERE password = :newPassword将永远不会获取任何数据,因为只有哈希存储在数据库中。我希望我能指出,为什么我建议在阅读完好的教程后从头开始。也许我可以给你一些想法来开始宽度:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
第二个函数password_verify()可用于登录以及检查旧密码是否匹配。
另一个提示,在脚本开头验证所有输入,并在出现任何问题时立即重定向。在进行验证后,不要再次检查无效输入,只需使用它即可。