我可能有一个愚蠢的愚蠢的问题……我正在做一个被遗忘的密码脚本(当然是登录系统),但是我被卡住了.我创建了一个具有特殊ID的代码(有效,是的!),但是我无法对其进行解密…您能帮我吗?
这是我创建特殊ID的功能:
Recovery_Script.PHP
<?PHP
include "pdo.PHP"; if(isset($_POST["submit"]) AND isset($_POST["ForgotPassword"])) {
$email = $_POST["ForgotPassword"];
// Check to see if a user exists with this e-mail
$sql = "SELECT email FROM account WHERE email=:email";
$stmt = $db->prepare($sql);
$stmt->execute(array(":email"=>$email));
$items = $stmt->fetchAll();
$db = null;
foreach($items as $data){
if($data["email"] == $email){
// Create a unique salt. This will never leave PHP unencrypted.
$salt = "498#2D83B631%3800EBD!801600D*7E3CC13";
// Create the unique user password reset key
$password = hash('sha256', $salt.$email);
// Create a url which we will direct them to reset their password
$pwrurl = "http://student.sps-prosek.cz/~kocvaja14/Project/SelfMade/templates/script/recovery_password.PHP?q=".$password;
// Mail them their key
$mailbody = "dobrý den,\n\nJestli tento email nepatří vám, prosím, ignorujte jej. Byla vytvořena žádost o obnovení hesla na webové stránce http://student.sps-prosek.cz/~kocvaja14/SelfMade/\n\nPro obnovení hesla klikněte na odkaz níže. \n\nThanks,\nThe Administration";
mail($email, "http://student.sps-prosek.cz/~kocvaja14/Project/SelfMade/index.PHP - Password Reset", $mailbody);
echo "Your password recovery key has been sent to your e-mail address.";
} else
echo "No user with that e-mail address exists.";
} }?>
现在我需要创建文件,在该文件中我将解密此ID($password).但是我做不到(因为我对此东西知识不足).你能帮我吗?谢谢 !
解决方法:
无法解密阴影值.
您需要做的是放弃密码恢复的想法,而要构建密码重置系统.
一种方法是这样的:
>在用户表中,为“ reset_hash”添加一列(一个不错的长哈希字符串)
>当用户请求重设密码时,构建一个哈希值并将其存储在他们的记录中.然后,在电子邮件中,发送包含该“ reset_hash”作为URL一部分的链接.
>当用户遵循URL时,请检查用户表中是否存在哈希.如果是这样,请提供用户可以更改其密码的表格.
您应该考虑的其他预防措施可能包括使用NONCE和验证NONCE,这是使链接在X个小时后失效的一种方式(NONCE仅在一段时间内有效).