如何验证“旧密码”字段中键入的内容是否是在数据库中存储并散列的用户当前密码?我应该使用password_verify($password, $hash)吗?如果可以的话,如何将其连接到数据库?
我已使用它来加密“ Registration.php”页面上的密码:
//Encrypt password
$hash = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (username, password) VALUES ('$username', '$hash')";
mysqli_query($db_server, $query) or die("Insert failed. ". mysqli_error($db_server));
$message = "<strong>Registration successful!</strong>";
这是来自ChangePassword.php的代码:
$user = $_SESSION['username'];
$oldpassword = trim($_POST['oldpassword']);
$newpassword = trim($_POST['newpassword']);
$repeatnewpassword = trim($_POST['repeatnewpassword']);
session_start();
if(isset($_POST['submit'])){
if ($oldpassword&&$newpassword&&$repeatnewpassword){
//Here I want to insert an if statement that checks if the $oldpassword matches the password in the database
if ($newpassword==$repeatnewpassword){
if (strlen($newpassword)>25||strlen($newpassword)<6) {
$message = "Password must be 6-25 characters long";
}else{
require_once("db_connect.php");
if($db_server){
$oldpassword = clean_string($db_server, $oldpassword);
$newpassword = clean_string($db_server, $newpassword);
$repeatnewpassword = clean_string($db_server, $repeatnewpassword);
mysqli_select_db($db_server, $db_database);
if($newpassword <> ''){
$newpassword = password_hash($_POST['newpassword'], PASSWORD_DEFAULT);
$query="UPDATE users SET password ='$newpassword' WHERE ID=". $_SESSION['userID']." ";
mysqli_query($db_server, $query) or die("Insert failed. ". mysqli_error($db_server));
$message = "<strong>Change successful!</strong>";
} else {
$message="Please insert a password";
}
}else{
$message="Error: could not connect to the database.";
}
require_once("db_close.php");
}
} else {
$message="New passwords don't match";
}
}else{
$message="Please fill in all fields";
}
}