试图使用户可以更改其密码,但是由于密码是加密的,因此用户必须先输入加密的密码才能更改密码。
当用户单击“更改密码”时,他们将被发送到change.php,然后将其返回到profile.php?error = wrong_pw
由于我到目前为止仅使用php完成“简单”网站,因此没有任何安全性,因此不习惯对密码进行哈希处理。这也是为什么这很容易被黑客利用的原因。
Change.php
<?php
session_start();
require 'dbc.php';
if (!isset($_POST['password']) || !isset($_POST['newpassword']) || !isset($_POST['renewpassword'])) {
header('Location: ../profile.php?error=wrong_info');
exit();
}
$user = $_SESSION['id'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$renewpassword = $_POST['renewpassword'];
$sql = "SELECT * FROM users WHERE id='$user' AND pwd='$password'";
$result = mysqli_query($conn, $sql);
if($row = mysqli_fetch_assoc($result)){
if($newpassword == $renewpassword){
if($newpassword != ""){
$newsql = "UPDATE users SET pwd='$newpassword' WHERE id='$user'";
$newresult = mysqli_query($conn, $newsql);
header('Location: ../index.php');
}
else{
header('Location: ../profile.php?error=empty');
exit();
}
}
else{
header('Location: ../profile.php?error=match');
exit();
}
} else{
header('Location: ../profile.php?error=wrong_pw');
}
profile.php
<?php require "inc/header.inc.php"; ?>
<?php
if(isset($_GET['u'])){
$u = $_GET['u'];
}else{
$u = $_SESSION['id'];
}
$sql = "SELECT * FROM users WHERE id='$u'";
$result = mysqli_query($conn, $sql);
$user = mysqli_fetch_assoc($result);
?>
<div class="container mt-3">
<table class="table">
<tr>
<th>Email</th>
<th>Username</th>
<?php
if ($u === $_SESSION['id']) {
echo "<th>Password</th>";
}
?>
</tr>
<tr>
<td><?php echo $user['email']; ?></td>
<td><?php echo $user['uid']; ?></td>
<?php
if ($u === $_SESSION['id']) {
echo '<th><a href="javascript:;" class="btn btn-danger" data-toggle="modal" data-target="#leModal">Change</a></th>';
}
?>
</tr>
</table>
</div>
<form action="change_theme.php" method="post">
<center><button class="btn btn-primary themebutton" type="submit" value="Change theme" action="change_theme.php">Change theme</button></center>
</form>
<div class="modal fade" id="leModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLabel">Change Password</h5>
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">
<form class="article_q" action="engine/change.php" method="post">
<input type="hidden" name="user" value="<?php echo $_SESSION['id']; ?>">
<input type="password" name="password" placeholder="Current Password"><br><br>
<input type="password" name="newpassword" placeholder="New Password"><br><br>
<input type="password" name="renewpassword" placeholder="Re:Password"><br><br>
<button class="btn btn-danger" value="submit">Save</button>
</div>
<div class="modal-footer">
</form>
</div>
</div>
</div>
</div>
<?php require "inc/footer.inc.php"; ?>
答案 0 :(得分:1)
好吧,我觉得您缺少加密的概念。
应该没有办法从哈希中检索字符串,因为它是一种单向算法。
重置密码的过程如下:
如果将其签出,您将看到它是合乎逻辑的。祝你好运!
答案 1 :(得分:0)
要更改/重置密码,用户必须先登录,然后他才能更新密码以提供当前密码。如果用户不知道自己的密码,则必须完成忘记密码的操作。这样,您可以验证密码仅由授权/有效人员更改。
但是,根据您的情况,您可以更改此查询以更新密码而无需验证
$sql = "SELECT * FROM users WHERE id='$user'";
最好在更新密码之前通过电子邮件/短信验证用户。