忘记密码页面,创建一个生成的密码以电子邮件发送给用户. [英] forget password page, creating a generated password to email to the user.
问题描述
我正在尝试创建一个忘记密码页面.我听说通过电子邮件将原始密码发送给用户不是一个好主意,因此我试图创建一个随机的确认密码,他们可以使用该密码来登录自己的帐户,然后将密码更改为所需的密码.到目前为止,问题在于用户邮件实际上不在数据库中.另外,我应该更新数据库以存储随机密码,还是可以使用该密码?我的数据库具有表用户名,用户名,电子邮件和密码.我问用户以html格式提供其电子邮件地址,然后将其发送到该php格式.这是我第一次尝试执行此操作,因此可能会有很多错误,但是我找到了可以帮助某些人的教程,因此不应这样做.谢谢您的帮助.
I am trying to create a forgot password page. I have heard that it is not a good idea to send the original password to the user via email so I am trying to create a random confirmation password that they can use to log into their account and later change the password to whatever they want. So far the problem is it is saying the users email is not in the database when in fact it is. Also, should I update the database to store the random password or will the way I have it work? My database has the tables username, fristname, email, and password. I am asking the user for their email address in a html form then sending it to this php form. This is my first time attempting to do this so it might have a lot of errors, but I found a tutorial to help some so it shouldn't. Thanks for the help.
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Sending Password</title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$database = "Test_Members";
$er = mysql_select_db($db_username);
if (!$er)
{
print ("Error - Could not select the database");
exit;
}
//include "session.php";
function createRandomPassword() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '' ;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$password = createRandomPassword();
$password =$_P0ST['password'];
$email = $_P0ST['email'];
$tbl_name=Account_Holders;
$sql="SELECT password FROM $tbl_name WHERE email='$email'";
$result=mysql_query($sql);
// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"
$count=mysql_num_rows($result);
// compare if $count =1 row
if($count==1){
$rows=mysql_fetch_array($result);
// keep password in $your_password
$your_password=$rows['password']; //will this replace the users password with the random one? That is what I am attempting to do here.
// send e-mail to ...
$to=$email;
// Your subject
$subject="Your Password";
// From
$header="from: Feed The Students";
// Your message
$messages= "Your password for login to our website \r\n";
$messages.="Your password is $your_password \r\n";
$messages.="Please change this password for security reasons. Thank you. \r\n";
// send email
$sentmail = mail($to,$subject,$messages,$header);
}
// else if $count not equal 1
else {
echo "Sorry we did not find your email in our database.";
}
// if your email succesfully sent
if($sentmail){
echo "Your password has been sent to your email address.";
}
else {
echo "We can not send your password at this time.";
}
?>
</body>
</html>
推荐答案
首先,您不应该将用户的密码存储在数据库中-无论如何不是明文形式.在连接密码重置问题之前,我将先解决此问题.
First of all, you shouldn't be storing the users' passwords in your database - not in cleartext, anyways. I'm going to address this before addressing the password reset problem since they're connected.
A common technique is to transform the password using a one-way hash algorithm with a salt (see Wikipedia Definition of Salt for more info), and then when users attempt to login, to perform the same encryption and compare the hashes.
要使事情变得更加复杂,请尝试更改每个哈希值的大小.
To make things even more complex, try changing the salt on every hash.
这是我使用的分步方法:
Here's a step-by-step method that I use:
- 用户通过注册表格创建密码
-
在这种情况下,函数使用SHA256算法并使用随机创建的盐来创建随机盐,然后对密码进行加密.
- User creates password (via a registration form)
A function creates a random salt and then encrypts the password, in this case, using SHA256 algorithm and using a randomly created salt.
$password_salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
$password_hash = hash('sha256', $salt . $password);
将$ password_hash和$ password_salt保存到users表.以后当用户尝试登录时,将使用它们来对用户进行身份验证.
Save the $password_hash and the $password_salt to the users table. These will be used later to authenticate the user when they attempt to login in the future.
当用户登录时,检查用户名/电子邮件/登录,如果找到,则从users表中获取哈希值和盐值,并将db中的密码哈希值与通过执行相同功能返回的哈希值进行比较他们输入的密码.
When the user logs in, check the username/email/login and if found, grab the hash and salt from the users table and compare the password hash from the db to the hash returned from performing the same function on what they entered as their password.
$salt = $user_record['password_salt'];
$entered_hash = hash('sha256', $salt . $entered_password);
在上述情况下,如果$ entered_password_hash == $ user_record ['password_hash']($ user_record,是您的数据库中的密码),则密码将得到验证.
In the case above, if $entered_password_hash == $user_record['password_hash'] ($user_record, being what comes from your db) then the password is validated.
注意为了使事情变得更复杂,我实际上将密码哈希值和盐值存储在数据库的同一字段中.您可以将它们以一种或另一种方式连接在一起,因此,如果数据库受到破坏,则密码字段实际上对检索用户密码毫无用处.
Note To make things more complex, I actually store the password hash and the salt in the same field in the db. You can concat them together, one way or the other so if your database is compromised, the password field is effectively useless for retrieving user passwords.
现在,当您想处理忘记的密码时,可以创建一个随机密码,但是仍然会通过电子邮件发送给用户,这不是一个好主意,即使是临时密码也是如此.我建议通过电子邮件向用户发送点击链接,将其引导至密码重设页面.以下是该过程的几个步骤:
Now when you want to address forgotten passwords, you can create a random password but that's still going to be emailed to the user, which isn't a good idea, even for a temporary password. I would suggest emailing the user a link to click, leading them to a password reset page. Here are a few steps for that process:
- 创建一个具有两列的email_authentication表-用户ID和密钥.其中将包含将用户ID与随机生成的密钥相关联的信息.
- 创建一个页面(例如:reset.php),该页面需要一个URL参数(例如$ k),然后在email_authentication表中查找该参数.如果在表中找到匹配的记录,请删除该记录,然后重定向到一个页面,该页面将在同一记录中提供用户ID的密码.
- 用户忘记密码,单击忘记密码"链接,然后输入正确的电子邮件地址.
- 在email_authentication表中创建包含其用户ID的记录,并为密钥(例如:'r4nd0mstr1ng')生成一个随机字符串(长度约为32个字符)
- 通过电子邮件向用户发送指向您在步骤2中创建的页面的链接,其中包含在urlstring中生成的密钥. (例如: http://foo.com/reset.php?k=r4nd0mstr1ng
- 用户单击电子邮件中的链接,reset.php中的脚本在email_authentication表中查找"r4nd0mstr1ng",并找到与用户ID关联的内容,然后将他们重定向到允许他们重置密码的表单. /li>
- 重设密码时,请勿以明文形式保存密码!
- Create an email_authentication table with two columns - userid and key. This will contain information which will associate ids of users with a randomly generated key.
- Create a page (ex: reset.php) which expects a URL parameter ($k for example) and then looks for the parameter in the email_authentication table. If a matching record is found in the table, delete the record, and redirect to a page which will allow the password for the userid in the same record.
- User forgets their password, clicks the Forgot Password link and enters their correct email address.
- Record is created in email_authentication table containing their userid and a random string (32 or so characters long) is generated for the key (ex: 'r4nd0mstr1ng')
- Email the user a link to the page you created in Step 2 with the key generated in the urlstring. (ex: http://foo.com/reset.php?k=r4nd0mstr1ng
- User clicks the link in the email, the script in reset.php looks up 'r4nd0mstr1ng' in the email_authentication table and finds it associated with a userid and they're redirected to a form which allows them to reset their password.
- When the password is reset, don't save it cleartext!!
For more info (and probably a better explanation of the password hashing technique, have a look at This post by HeyBigName. It's based on CodeIgniter, but the functions contained are universally applicable.
这篇关于忘记密码页面,创建一个生成的密码以电子邮件发送给用户.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
