所以我有一个页面,用户可以在其中更改密码,但是我想通过询问用户旧密码然后输入新密码来提高安全性,我只是不知道如何验证是否有人可以提供帮助请问我
这是我的实际代码:
<?php
//Inicio de uma session que autentica e valida o login feito em login.php
session_start();
//Redirecionar um Admin ou um SuperAdmin para a devida página com as devidas permissões!
include '../functions/redirect.php';
isAuthenticated();
$user = $_SESSION['users']['username'];
?>
<!DOCTYPE html>
<?php
require '../functions/database.php';
if ( !empty($_POST)) {
// Manter a validação dos erros
$usernameError = null;
$passwordError = null;
$password = $_POST['password'];
// $confirm_password = null;
// $new_password = null;
// Validar os inputs
$valid = true;
if (empty($password)) {
$passwordError = 'Introduza a password!';
$valid = false;
}
// Inserir os dados
if ($valid) {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$password = password_hash($password, PASSWORD_BCRYPT);
$sql = "UPDATE users SET password = ? WHERE username = '$user'";
$q = $pdo->prepare($sql);
$q->execute(array($password));
header("Location: index.php");
Database::disconnect();
}
}
?>
答案 0 :(得分:0)
我假设您在用户填写的表单中有一个“ old_password”和“ new_password”字段。您首先要对照用户表中已有的哈希密码检查输入的旧密码。
注意,使用过滤器对在表单中输入的信息进行传递之前,将其清除到SQL查询中。
如果一切都很好,那么您可以继续进行测试,并根据需要测试输入的新密码。 如果新密码通过验证,则继续操作并更新用户表。
// Connect to database
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$valid = false;
if ( !empty($_POST)) {
// Manter a validação dos erros
$usernameError = null;
$passwordError = null;
// Read in old password from form field
$old_password = filter_var($_POST['old_password'], FILTER_SANITIZE_STRING);
// Validar os inputs
if (empty($old_password)) {
$passwordError = 'Introduza a password!';
$valid = false;
}
// Check old password
else {
// Read in old password from db
// build SELECT statement with variable
$sql = 'SELECT password FROM users WHERE username = :USER';
$sql->bindValue(':USER', $user);
$sql->execute();
if ($sql->rowCount() > 0) {
// Read in value from select
$row = $sql->fetchObject();
$user_password = $row->password;
// Test entered password against hashed current user password
if (password_verify($old_password, $user_password)) {
$valid = true;
}
else {
// passwords do not match
$valid = false
}
}
else {
// Did not find user in table
$valid = false;
}
}
}
// Inserir os dados
if ($valid) {
// Test new password
$new_password = filter_var($_POST['new_password'], FILTER_SANITIZE_STRING);
// here you would test length, or content or whatever ...
// if still valid you save the new password
$new_password = password_hash($new_password, PASSWORD_BCRYPT);
$sql = "UPDATE users SET password = :NEWPASSWORD WHERE username = :USER';
$sql->bindValue(':NEWPASSWORD', $new_password);
$sql->bindValue(':USER', $user);
$sql->execute();
// header("Location: index.php");
}
Database::disconnect();
答案 1 :(得分:0)
我还要指出,在$ _POST提交之后,$ valid = true是没有意义的,因为您通过发送$ _POST来使$ valid为true,无论那里有什么输入,只要有输入,它都会接受任何输入密码更新实际上需要所有数据。 然后,您检查其他要求,然后将$ valid更改为false。
您应该以$ valid = false开头,当满足要求时,可以将其返回为True。
还可以添加到Derek的答案中,我建议您进行其他小的检查,以确保用户必须两次检查新密码,以免出现输入错误而后来又无法登录的情况。
答案 2 :(得分:0)
要执行此操作,您必须处理两次:
第一次,您必须获取用户的当前密码。验证他的ID:
$password = $_POST['password'];
if (password_verify($password, $remote->password))
// the password is right
-> remote是sql请求的结果
然后,第二次,您将比较新密码和该密码的确认。如果相同:
$new = $_POST['new_password'];
$confirm = $_POST['confirm'];
if ($new == $confirm)
$new = password_hash($new, PASSWORD_BCRYPT);
// execute your sql insertion
请原谅我的英语