使用默认密码哈希更新 SQL 密码会阻止登录
Updating SQL password with default password hash prevents logins
我按照 this tutorial 为我的网站创建了一个登录系统,到目前为止它运行良好。我完全按照步骤操作,创建了所有需要的文件等。用户以自己的身份登录后,可以毫无问题地更改密码。
但是,我现在创建了一个受保护的目录,允许其他用户重置其他用户的密码(以防他们忘记密码)。此代码如下:
(我已经包含了该页面的所有代码,除了我的一些样式元素(例如,位于此代码其余部分上方的菜单栏)。虽然我知道这可能不是最好的方法,但我想确保我向大家提供了尽可能多的信息。)
<?php
// Initialize the session
session_start();
// Check if user is logged in. If N, return to /login/
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: /login/");
exit;
} ?>
<!DOCTYPE html>
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>DAT Room Bookings</title>
<meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Scales to mobile -->
<link rel="stylesheet" type="text/css" href="style.css"> <!-- System style -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <!-- Icons -->
<link href="https://fonts.googleapis.com/css?family=Lato&display=swap" rel="stylesheet"> <!-- System font -->
<link rel="stylesheet" href="scripts/lightbox2-2.11.1/src/css/lightbox.css" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <!-- Drop Down Images -->
<script src="scripts/lightbox2-2.11.1/src/js/lightbox.js"></script> <!-- Lightbox Images -->
</head>
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $username, $password, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div style="padding-left:25%; padding-right:25%; padding-top:10px">
<p><strong>User ID:</strong> <?php echo $id; ?></p>
<strong>Username:</strong> <input type="text" name="username" value="<?php echo $username; ?>" readonly /><br/>
<strong>Enter New Password: *</strong> <input type="text" name="password" value=""/><br/>
<p>* Required</p>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$username = mysql_real_escape_string(htmlspecialchars($_POST['username']));
$password = mysql_real_escape_string(htmlspecialchars($_POST['password']));
$hashed = password_hash('$password', PASSWORD_DEFAULT);
// check that password fields are both filled in
if ($password == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $username, $password, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE users SET username='$username', password='$hashed' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM users WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$username = $row['username'];
$password = $row['password'];
// show form
renderForm($id, $username, $password, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>
表单正确显示并提取用户的 ID 和用户名。我设置的密码散列与我在网站的更改密码功能中看到的一样(使用默认值)。当我尝试重置另一个用户的密码时,我可以在 phpmyadmin 中看到哈希已更改,因此这意味着更改已正确完成。
但是,这就是问题所在,当所述用户随后尝试使用新密码再次登录时,他们被告知密码不正确。我并排查看了这些代码,但我必须承认,作为 PHP 的新手,我不太了解教程中的大部分代码在做什么,这就是为什么我对这个函数我已经尝试为自己创建一个简化版本来执行此功能。
如果这是一个直截了当的错误,我深表歉意,但我真的无法理解。
您在此处将密码保存为
$hashed = password_hash('$password', PASSWORD_DEFAULT);
此处 $password 不需要单引号。此外,您确定在登录页面中,在验证凭据时使用了类似的逻辑吗?可能像
$user['password'] == password_hash($_POST['password'],PASSWORD_DEFAULT)
从数据库中检索 $user。
我按照 this tutorial 为我的网站创建了一个登录系统,到目前为止它运行良好。我完全按照步骤操作,创建了所有需要的文件等。用户以自己的身份登录后,可以毫无问题地更改密码。
但是,我现在创建了一个受保护的目录,允许其他用户重置其他用户的密码(以防他们忘记密码)。此代码如下:
(我已经包含了该页面的所有代码,除了我的一些样式元素(例如,位于此代码其余部分上方的菜单栏)。虽然我知道这可能不是最好的方法,但我想确保我向大家提供了尽可能多的信息。)
<?php
// Initialize the session
session_start();
// Check if user is logged in. If N, return to /login/
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: /login/");
exit;
} ?>
<!DOCTYPE html>
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>DAT Room Bookings</title>
<meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Scales to mobile -->
<link rel="stylesheet" type="text/css" href="style.css"> <!-- System style -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <!-- Icons -->
<link href="https://fonts.googleapis.com/css?family=Lato&display=swap" rel="stylesheet"> <!-- System font -->
<link rel="stylesheet" href="scripts/lightbox2-2.11.1/src/css/lightbox.css" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <!-- Drop Down Images -->
<script src="scripts/lightbox2-2.11.1/src/js/lightbox.js"></script> <!-- Lightbox Images -->
</head>
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $username, $password, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div style="padding-left:25%; padding-right:25%; padding-top:10px">
<p><strong>User ID:</strong> <?php echo $id; ?></p>
<strong>Username:</strong> <input type="text" name="username" value="<?php echo $username; ?>" readonly /><br/>
<strong>Enter New Password: *</strong> <input type="text" name="password" value=""/><br/>
<p>* Required</p>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$username = mysql_real_escape_string(htmlspecialchars($_POST['username']));
$password = mysql_real_escape_string(htmlspecialchars($_POST['password']));
$hashed = password_hash('$password', PASSWORD_DEFAULT);
// check that password fields are both filled in
if ($password == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $username, $password, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE users SET username='$username', password='$hashed' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM users WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$username = $row['username'];
$password = $row['password'];
// show form
renderForm($id, $username, $password, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>
表单正确显示并提取用户的 ID 和用户名。我设置的密码散列与我在网站的更改密码功能中看到的一样(使用默认值)。当我尝试重置另一个用户的密码时,我可以在 phpmyadmin 中看到哈希已更改,因此这意味着更改已正确完成。
但是,这就是问题所在,当所述用户随后尝试使用新密码再次登录时,他们被告知密码不正确。我并排查看了这些代码,但我必须承认,作为 PHP 的新手,我不太了解教程中的大部分代码在做什么,这就是为什么我对这个函数我已经尝试为自己创建一个简化版本来执行此功能。
如果这是一个直截了当的错误,我深表歉意,但我真的无法理解。
您在此处将密码保存为
$hashed = password_hash('$password', PASSWORD_DEFAULT);
此处 $password 不需要单引号。此外,您确定在登录页面中,在验证凭据时使用了类似的逻辑吗?可能像
$user['password'] == password_hash($_POST['password'],PASSWORD_DEFAULT)
从数据库中检索 $user。