在PHP和MD5哈希中更改密码脚本

时间:2011-12-02 22:43:35

标签: php mysql md5

  

可能重复:
  forget password page, creating a generated password to email to the user.

我正在尝试创建更改密码页面。下面的代码应该检查以确保用户在数据库中,确认当前密码并允许他们更改密码。它验证新密码是否正确检查以确保它们是相同且具有一定长度,但如果用户名不在数据库中并且它表示当前用户的密码,则它不会返回错误消息数据库错了。我认为它不能正确匹配哈希密码,但我不确定。任何人都可以帮我解决这些问题。谢谢。

<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Change Password Confrim</title>
    </head>
    <body>
        <?php
      $db_server = "server";
       $db_username = "name";
       $db_password = "pass";

       $con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
                {
                    die('Could not connect: ' . mysql_error());
                }

               $database = "User";  

              $er = mysql_select_db($db_username);
        if (!$er) 
        {
         print ("Error - Could not select the database");
         exit;
        }        



//////////Collect the form data ////////////////////
$username =$_P0ST['username'];
$cur_password=$_POST['cur_password'];
$password=$_POST['password'];
$password2=$_POST['password2'];
/////////////////////////



$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$username = mysql_real_escape_string($username); 
$cur_password = mysql_real_escape_string($cur_password); 
//Setting flags for checking
$status = "OK";
$msg="";

//Checking to see if password is at least 3 char max 8 
if ( strlen($password) < 3 or strlen($password) > 15 )
{
    $msg=$msg."Password must be more than 3 char legth and maximum 15 char lenght<br/>";
    $status= "NOTOK";
}                   

//Checking to see if both passwords match 
if ( $password <> $password2 )
{
    $msg=$msg."Both passwords are not matching<br/>";
    $status= "NOTOK";
}                   

     $CorrectUser = mysql_query("SELECT * FROM User WHERE username ='$username' AND password = MD5('$cur_password')");
     $row = mysql_fetch_array($CorrectUser);
      if ($row['username'] == $username) 
          {
          $status = "OK"; 
          }
       else {
                print("Your username is not in the database. Please check that you enter the correct username and try again."); 
                $status = "NOTOK";
            }

        if ($row['cur_password'] == MD5('$cur_password')) 
            {
                $status = "OK"; 
            }
         else
             {
                print("You entered the wrong current passowrd"); 
                $status = "NOTOK"; 
             }


if($status<>"OK"){ 
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
else
{ // if all validations are passed.
    if(mysql_query("UPDATE User SET password = MD5('$password') WHERE username ='$username'"))
    {
        echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully.</font></center>";
    }
    else
    {
        echo "<font face='Verdana' size='2' color=red><center>Sorry <br> Failed to change password.</font></center>";
    }

}

?>
<center>
<br><br><a href='Settings.html'>Settings Page</a></center> 

</body>

</html>

3 个答案:

答案 0 :(得分:2)

只需从SQL查询中删除AND password = MD5('$cur_password')即可。这样您就可以找到用户密码是否正确。您的PHP测试$row['cur_password'] == MD5('$cur_password')就足够了;你不需要把它放在你的SQL查询中。

答案 1 :(得分:0)

PHP专栏:

if ($row['cur_password'] == MD5('$cur_password')) 

应该是

if ($row['cur_password'] == MD5($cur_password))

但是,您似乎已经在数据库中检查了密码。

此外,如果密码和密码2不匹配,则设置$ status ='NOTOK',但忽略该结果。即:如果您的密码不匹配&amp; password2,但是匹配的用户/密码,它仍然会更新。

除非您需要使用无盐MD5,否则添加盐可能是明智的。

答案 2 :(得分:0)

首先,这条线不行

$CorrectUser = mysql_query("SELECT * FROM User WHERE username ='$username' AND password = MD5('$cur_password')");

这样看......:

SELECT * FROM User WHERE username ='BOB' AND password = 32RE5446DDGDDDYHBD" <-- THE QUOTES ARE MISSING HERE

试试这样:

$CorrectUser = mysql_query("SELECT * FROM User WHERE username ='".$username."' AND password = '".MD5($cur_password)."'");

“隔离”变量是一种很好的做法,它避免了很多错误。