php - 更改和确认密码 MySql PHP
问题描述
所以我有一个用户可以更改密码的页面,但我希望它更安全,通过询问用户旧密码然后是新密码,我只是不知道如何验证任何人都可以帮助我吗?
这是我的实际代码:
<?php
//Inicio de uma session que autentica e valida o login feito em login.php
session_start();
//Redirecionar um Admin ou um SuperAdmin para a devida página com as devidas permissões!
include '../functions/redirect.php';
isAuthenticated();
$user = $_SESSION['users']['username'];
?>
<!DOCTYPE html>
<?php
require '../functions/database.php';
if ( !empty($_POST)) {
// Manter a validação dos erros
$usernameError = null;
$passwordError = null;
$password = $_POST['password'];
// $confirm_password = null;
// $new_password = null;
// Validar os inputs
$valid = true;
if (empty($password)) {
$passwordError = 'Introduza a password!';
$valid = false;
}
// Inserir os dados
if ($valid) {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$password = password_hash($password, PASSWORD_BCRYPT);
$sql = "UPDATE users SET password = ? WHERE username = '$user'";
$q = $pdo->prepare($sql);
$q->execute(array($password));
header("Location: index.php");
Database::disconnect();
}
}
?>
解决方案
I am assuming you have an "old_password" and a "new_password" field in your form that the user fills in. You first check the old password entered against the hashed password already in your users table.
NOTE the use of filter sanitizing the information entered in your form before passing it through to an SQL query.
If all is good then you go ahead and test the new password entered however you want. If the new password is validated then you go ahead and update your users table.
// Connect to database
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$valid = false;
if ( !empty($_POST)) {
// Manter a validação dos erros
$usernameError = null;
$passwordError = null;
// Read in old password from form field
$old_password = filter_var($_POST['old_password'], FILTER_SANITIZE_STRING);
// Validar os inputs
if (empty($old_password)) {
$passwordError = 'Introduza a password!';
$valid = false;
}
// Check old password
else {
// Read in old password from db
// build SELECT statement with variable
$sql = 'SELECT password FROM users WHERE username = :USER';
$sql->bindValue(':USER', $user);
$sql->execute();
if ($sql->rowCount() > 0) {
// Read in value from select
$row = $sql->fetchObject();
$user_password = $row->password;
// Test entered password against hashed current user password
if (password_verify($old_password, $user_password)) {
$valid = true;
}
else {
// passwords do not match
$valid = false
}
}
else {
// Did not find user in table
$valid = false;
}
}
}
// Inserir os dados
if ($valid) {
// Test new password
$new_password = filter_var($_POST['new_password'], FILTER_SANITIZE_STRING);
// here you would test length, or content or whatever ...
// if still valid you save the new password
$new_password = password_hash($new_password, PASSWORD_BCRYPT);
$sql = "UPDATE users SET password = :NEWPASSWORD WHERE username = :USER';
$sql->bindValue(':NEWPASSWORD', $new_password);
$sql->bindValue(':USER', $user);
$sql->execute();
// header("Location: index.php");
}
Database::disconnect();
推荐阅读
- android - 为什么我的布局在小屏幕上不能很好地填充?
- node.js - 运行 launch.json 配置时找不到模块“/Applications/Visual”
- reactjs - 为什么更新我的 React 组件的状态会扰乱迭代?
- android - 高度大于屏幕时Android TextInputLayout写入焦点问题
- sql - 根据表的值选择加权随机行
- python - pyqt5 无法将边框应用于无框窗口
- highcharts - Highcharts - 导出甘特图不显示用户以前的交互
- mysql - Puppetlabs MySQL 无法安装以前版本的 MySQL
- r - 如何使用 Geom_Area (GGplot) 制作正方形图
- java - Java IO,加载和保存二进制文件