验证用户/更新表
我有简单的重置密码结构,供用户在丢失时更新其现有密码。用户转到输入电子邮件的链接,系统会为忘记密码的用户创建一个令牌并将其存储在指定表中。系统会向用户发送一封电子邮件,其中包含附加令牌的链接,当用户点击该链接时,系统会将他们带到一个重置密码的页面。如果数据库中存储的令牌与 $_GET 中的令牌匹配,我允许他们重置密码。简单的。
问题是我无法更新数据库中的特定行。我试图通过检查他们输入的电子邮件与数据库中的电子邮件来识别他们。我能够更新整个表的密码行,但是当指定一个用户时它会失败。
if(isset($_POST['sub_settings'])){
$query = "SELECT * FROM `Password_Reset` WHERE `token` = '".$token."' AND `email` = '".$user_email."'";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);
$token = $result['token'];
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $_POST['password']);
$user_email = $result['email'];
if($_GET['token'] == $token) {
header("Location: index.php");
exit;
}else{
if(empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = 'Whoops! You must enter a password.';
}
if($_POST['Password'] != $_POST['passwordConfirm'] || empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = "Your password entries didn't match...was there a typo?";
}
if($valid) {
$query = "UPDATE `Users` SET `encrypted_password` = '$hashed_password' WHERE `Email` = '$user_email'";
mysql_query($query,$connection);
}
}
}
预先非常感谢
I have simple reset password structure for users to update their existing passwords if lost. The user goes to a link where they enter their email, a token is created and stored in a designated table for the user with the forgotten password. A email is sent to the user with a link that has the token attached, when they hit that link it takes them to a page to reset their password. If the token stored in the db matches the one in the $_GET, I allow them to reset their password. simple.
The problem is I can't update their specific row in the db. I am trying to identify them by checking their email they entered against their email in the db. I am able to update the WHOLE tables password row, but when specify one user it fails.
if(isset($_POST['sub_settings'])){
$query = "SELECT * FROM `Password_Reset` WHERE `token` = '".$token."' AND `email` = '".$user_email."'";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);
$token = $result['token'];
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $_POST['password']);
$user_email = $result['email'];
if($_GET['token'] == $token) {
header("Location: index.php");
exit;
}else{
if(empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = 'Whoops! You must enter a password.';
}
if($_POST['Password'] != $_POST['passwordConfirm'] || empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = "Your password entries didn't match...was there a typo?";
}
if($valid) {
$query = "UPDATE `Users` SET `encrypted_password` = '$hashed_password' WHERE `Email` = '$user_email'";
mysql_query($query,$connection);
}
}
}
Thanks so much in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
为什么不将用户 ID 存储在
Password_Reset表中,然后根据该 ID 更新用户,而不是尝试匹配该电子邮件。请注意,如果您尝试匹配用户电子邮件,则电子邮件大小写必须与查询中的“=”完全匹配。您可以将电子邮件地址小写,但这在技术上是不正确的。
Why don't you store the user id in the
Password_Resettable and then update the user based on there id rather than trying to match there email.Note that if you are trying to match the users email the email casing must match exactly with an '=' in the query. You could lowercase the email address but this is technically incorrect.
看起来您没有大写 $_POST['Password']
根据您的其他代码,它应该是:
另外在您的 SELECT 中,您有
email,在 UPDATE 中您使用Email .MySQL 在非 Windows 平台上默认区分大小写。It looks like you've not capitalized $_POST['Password']
Based on your other code, it should be:
Also in your SELECT, you have
emailand in your UPDATE you useEmail.MySQL is case-sensitive by default on non-windows platforms.看起来您的第一个查询中有
$user_email但它尚未设置,因为您正在使用第一个查询的结果来设置它。除非你的意思是$_POST['user_email']?使用 user_id 会更容易、更安全,并且只向用户实际在您的系统中的情况发送令牌(看起来您正在向每个人发送令牌!)
您的令牌应该是唯一的。看起来完全是随机的。制作令牌的一个好方法是创建一个随机字符串 + 唯一标识用户的内容(例如用户名或电子邮件),然后使用 MD5 或类似函数对其进行哈希处理。它相当安全,并且可以识别用户本身,因此您只能通过令牌查找它们。
It looks like you have
$user_emailin your first query but it's not set yet because you're setting it with the result of the first query. Unless you mean$_POST['user_email']?It would be MUCH easier and more secure to use a user_id and only send the user a token if they are actually in your system (it appears you're sending everyone a token!)
Your token should be unique. It looks like it's completely random. A good way to make a token is to create a random string + something that uniquely identifies the user (such as their username or email) and then use MD5 or a similar function to hash it. It's reasonably secure and it identifies the user themselves so you can look them up by the token only.
我想应该是
!=。您需要检查令牌是否不等于数据库中的令牌。不是吗?
Should be
!=I suppose.You need to check if the token is not equal to the token into db. Isn't it?