4

我正在使用以下代码更新数据库中的密码和盐字段:

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

 $id = $_GET[id];

// This if statement checks to determine whether the registration form has been submitted 
// If it has, then the registration code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{  
    // Ensure that the user has entered a non-empty password 
    if(empty($_POST['password'])) 
    { 
        die("Please enter a password."); 
    } 

    // Ensure that the user has entered a non-empty username 
    if(empty($_POST['confirmpassword'])) 
    { 
        // Note that die() is generally a terrible way of handling user errors 
        // like this.  It is much better to display the error with the form 
        // and allow the user to correct their mistake.  However, that is an 
        // exercise for you to implement yourself. 
        die("Please confirm your password."); 
    } 

    if ($_POST["password"] == $_POST["confirmpassword"]) {

        // An INSERT query is used to add new rows to a database table. 
        // Again, we are using special tokens (technically called parameters) to 
        // protect against SQL injection attacks. 
        $query = "UPDATE Staff SET password=:password, salt=:salt WHERE id=:id"; 

        // A salt is randomly generated here to protect again brute force attacks 
        // and rainbow table attacks.  The following statement generates a hex 
        // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read. 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash. 
        $password = hash('sha256', $_POST['password'] . $salt); 

        // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        }  

        try 
        { 
            // Execute the query to create the user 
            $stmt = $db->prepare($query); 
            $stmt->execute(array(
            ':password' => $password,
            ':salt' => $salt,
            ':id' => $id)); 


        } 
        catch(PDOException $ex) 
        { 
            // Note: On a production website, you should not output $ex->getMessage(). 
            // It may provide an attacker with helpful information about your code.  
            die("Failed to run query: " . $ex->getMessage()); 
        } 

        // This redirects the user back to the login page after they register 
        header("Location: login.php"); 

    }

    die("Passwords do not match.");  
}

数据库中有一个 'id' 字段,以及一个 id 等于 1 的员工(上一页上的链接将 id 传递到此页面,在本示例中,id 为 1)。我不确定它为什么不更新数据库。我是 php 新手,希望得到任何帮助。

谢谢,乔

4

2 回答 2

1

语法不正确,你想调用$idusing:

$id = $_GET['id'];
于 2013-09-23T21:38:35.853 回答
1

我认为当你这样做execute(array)blah时,它将所有变量都视为字符串,所以使用

http://www.php.net/manual/en/pdostatement.bindparam.php

$stmt ->bindParam(':password', $password, PDO::PARAM_STR)
$stmt ->bindParam(':salt', $salt, PDO::PARAM_STR)
$stmt ->bindParam(':id', $id, PDO::PARAM_INT)
$stmt ->execute();
于 2013-09-23T22:37:47.737 回答