1

我是蛋糕 php 的新手,我有一个问题。当用户更新他的个人资料时,我要求输入他的密码。现在我不知道如何使用存储的密码进行检查。

 <?php echo $form->create('UserProfile', array('url' => array('action' => 'edit_profile', 'controller' => 'users'))); ?>

            <?php


            echo $form->input('nickname', array('label' => __('Display Name', true), 'class' => 'INPUT required'));          
            ?>
            <b>To save these settings, please enter your password</b><br /><br />
            <?php
            echo $form->input('repeat_password', array('label' => __('Password', true), 'class' => 'INPUT required','type'=>'password'));
            echo $form->input('private', array('label' => __('Set Profile Private', true), 'class' => 'INPUT required'));
            ?>
<!--            <div id="CityList">
                <?php
//                echo $form->input('city', array('id' => 'citySelect', 'name' => 'data[UserProfile][city]', 'empty' => __('Please select city', true), 'label' => __('City', true), 'class' => 'INPUT required'));
                ?>
            </div> -->


            <?php echo $form->submit(__('Submit', true), array('class' => 'save_btn')) ?>`
>

在我的模型中,我对重复密码应用了以下验证。

    'repeat_password' => array(
                array('rule' => 'check_repeatPassword'),
                array('rule' => 'notempty', 'message' => __('Required', true), 'require' => true),
                array('rule' => 'alphaNumeric', 'allowEmpty' => true, 'message' => __('Password must only contain letters and numbers.', true)),
                array('rule' => array('minLength', 6), 'allowEmpty' => true,
                    'message' => __('Password must be at least 6 characters long.', true)),
                array('rule' => array('maxLength', 16), 'allowEmpty' => true,
                    'message' => __('Password must be at most 16 characters long.', true))
            ),
     function check_repeatPassword($data) {
        $repeatPassword = $data['repeat_passowrd'];

        $passwordExists = $this->find('count', array('conditions' => array('User.repeat_password' => $repeatPassword)));
        if ($passwordExists == 0) {
            return false;
        }
        return true;
    }

在我的控制器中,我制作了以下编辑配置文件方法。

     function edit_profile() {

        $this->loadModel('UserProfile');
        $user = $this->_authenticate_user();

        $id = $user['account_num'];


        if (!empty($this->data)) {

            $this->data['UserProfile']['account_name'] = $id;

            unset($this->data['UserProfile']['country']);
            unset($this->data['UserProfile']['city']);

            if ($this->UserProfile->save($this->data)) {
                $userInfo = $this->User->getUserInfo($id);

                $this->User->reassign_session($userInfo);

                $this->flashMessage(__('Your Profile has been Updated successfully', true), 'Sucmessage');


                //$this->redirect(array('action' => 'profile'));
            } else {
                $this->flashMessage(__('Your Profile has not been updated. Please, try again.', true));
            }
        }
        if (empty($this->data)) {
            $this->data = $this->UserProfile->read(null, $id);
        }

//        $this->loadModel('Country');
//        $countries = $this->Country->find('list');
//        $this->set('countries', $countries);


        $this->loadModel('Nationality');
        $nationalities = $this->Nationality->find('list', array('fields' => array('name', 'name')));
        $this->set('nationalities', $nationalities);

        $this->pageTitle = __('Edit My Profile', true);
    }

Kindly help me how to do this.Thankssssss in advance
4

1 回答 1

1

您没有以纯文本形式存储密码

我无法避免看到这一点并感到惊讶:

$passwordExists = $this->find('count', array(
    'conditions' => array(
        'User.repeat_password' => $repeatPassword
    )
));

请确认您没有以纯文本形式存储用户密码,如果您立即停止这样做并执行以下 sql:

ALTER TABLE users DROP repeat_password;

将哈希与哈希进行比较

在数据库中,您应该将用户的现有密码存储为单向哈希。假设是这种情况,要验证用户是否输入了他们现有的帐户密码 - 只需以与 Auth 组件相同的方式对他们提供的内容进行哈希处理,并与数据库进行比较:

function check_repeatPassword($data) {
    $userId = $this->data['UserProfile']['account_name']; // from the question

    $userInput = current($data);
    $hashedUserInput = Security::hash($userInput, null, true);

    return $this->find('count', array(
        'conditions' => array(
            'password' => $hashedUserInput,
            'id' => $userId
        )
    ));
}

这将确认用户输入的密码与该用户数据库中已经存在的密码相同。

于 2013-06-27T07:44:19.160 回答