0

我有一张表,其中一个字段TempPass对所有用户都是空白的。当用户请求更改密码而不是更新他们现有的密码时,我的脚本将通过电子邮件发送给用户的临时密码添加到TempPass使用 SHA 的字段中。以下行显示了更改:

$query = "UPDATE users SET TempPass=SHA('$p') WHERE UserID=$uid";

我在注册期间使用以下行保存密码:

$password = md5(mysql_real_escape_string($_POST['password']));

如果我的 HTML 文件如下所示:

<?php include "config.php"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="theStylesScripts/lostPassStyle.css" type="text/css" media="all" />
<title>Reset Password</title>
</head>

<body>
<?php

include("mailerClass/class.phpmailer.php");
include("mailerClass/class.smtp.php");

if (isset($_POST['submitted'])) { // Handle the form.
    if (empty($_POST['email'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your email address!</font></p>';
    }
    if (empty($_POST['temppass'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your temporary password!</font></p>';
    }
    if (empty($_POST['newpass'])) { // Validate the email address.
        $uid = FALSE;
        echo '<p><font color="red" size="+1">You forgot to enter your new password!</font></p>';
    }
    else {
        // Check for the existence of that email address.
        $query = "SELECT UserID FROM users WHERE EmailAddress='".  mysql_real_escape_string($_POST['email']) . "'";
        $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
        if (mysql_num_rows($result) == 1) {
            // Retrieve the user ID.
            list($uid) = mysql_fetch_array ($result, MYSQL_NUM);
        }
        else {
            echo '<p><font color="red" size="+1">The submitted email address does not match those on file!</font></p>';
            $uid = FALSE;
        }
    }
    if ($uid) { // If everything’s OK.
        // Make the query.
        $query = "THIS IS THE QUERY THAT WILL COMPARE THE USEREMAIL WITH THE TEMPORARY PASSWORD ASSIGNED AND EMAILED TO WHAT THE USER ENTERED IN THE FORM";
        $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
        if ("USEREMAIL WITH THE AUTO ASSIGNED TEMPORARY PASSWORD MATCHES WITH THE TEMPORARY PASSWORD ENTERED BY THE USER") { // If it ran OK.
            $query = "THIS IS THE QUERY THAT WILL UPDATE THE EXISTING PASSWORD WITH THE NEW PASSWORD ENTERED BY USER";
            $query = "SET TEMPPASS BACK TO NULL FOR THAT USERID";
            echo '<h3>Your password has been changed. You will receive the new, temporary password at the email address with which you registered. Once you have logged in with this password, you may change it by clicking on the "Change Password" link.</h3>';
            mysql_close(); // Close the database connection.
            //include (‘./includes/footer.html’); // Include the HTML footer.
            exit();
        } else { // If it did not run OK.
            echo '<p><font color="red" size="+1">Your password could not be changed due to a system error. We apologize for any inconvenience.</font></p>';
        }
    }
    else { // Failed the validation test.
        echo '<p><font color="red" size="+1">Please try again.</font></p>';
    }
} // End of the main Submit conditional.
?>

<h1>Reset Your Password</h1>

<p>Enter your email address below and your password will be reset.</p>

<form action="resetPass.php" method="post">

<fieldset>

<p><b>Email Address:</b> <input type="email" name="email" size="20" maxlength="40" value="" /></p>
<p><b>Temporary Password:</b> <input type="text" name="temppass" size="20" maxlength="40" value="" /></p>
<p><b>New Password:</b> <input type="text" name="newpass" size="20" maxlength="40" value="" /></p>

</fieldset>

<div align="center"><input type="submit" name="submit" value="Create New Password" /></div>

<input type="hidden" name="submitted" value="TRUE" />

</form>

</div>
</body>
</html>

如何修改以下代码以实现我想要做的事情:

if ($uid) { // If everything’s OK.
    // Make the query.
    $query = "THIS IS THE QUERY THAT WILL COMPARE THE USEREMAIL WITH THE TEMPORARY PASSWORD ASSIGNED AND EMAILED TO WHAT THE USER ENTERED IN THE FORM";
    $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
    if ("USEREMAIL WITH THE AUTO ASSIGNED TEMPORARY PASSWORD MATCHES WITH THE TEMPORARY PASSWORD ENTERED BY THE USER") { // If it ran OK.
        $query = "THIS IS THE QUERY THAT WILL UPDATE THE EXISTING PASSWORD WITH THE NEW PASSWORD ENTERED BY USER";
        $query = "SET TEMPPASS BACK TO NULL FOR THAT USERID";
        echo 'password changed';
        mysql_close(); // Close the database connection.
        exit();
    } else { // If it did not run OK.
        echo 'no change. error';
    }
}

md5另外,我应该以格式保存新密码吗?

请注意:我会尽快更新mysqli

4

1 回答 1

1 
if ($uid) { // If everything’s OK.
    // Make the query.
    $query = "SELECT * FROM users WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."' AND TempPass='".mysql_real_escape_string($_POST['temppass'])."'";
    $result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
    if (mysql_row_count($result)==1) { // If it ran OK.
        $query = "UPDATE users SET password=SHA2('".mysql_real_escape_string($_POST['newpass'])."',512) WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."'";
        $query = "UPDATE users SET TempPass='' WHERE EmailAddress='".mysql_real_escape_string($_POST['email'])."'";
        echo 'password changed';
        mysql_close(); // Close the database connection.
        exit();
    } else { // If it did not run OK.
        echo 'no change. error';
    }
}

将新密码存储在MD5中是不安全的,因为它已被破解,请使用其他一些哈希,例如 SHA512。

于 2013-10-04T16:12:44.380 回答