dongqindan4406 2012-12-23 23:28
浏览 51
已采纳

如果我使用哈希函数,我如何匹配新旧密码?

I store user passwords as a plain text in the database. So it's easy to change the password. I use this code,

while($row = mysql_fetch_array($result)) {
  if($row['Password']==$opass)
    mysql_query(
      "UPDATE information SET Password='$pass' WHERE Username='$name'"
    );
}

First I am checking that user put his old password correctly ($opass), then I allow him to change it to new password ($pass). I think I could check old password because I stored it as plain text. But if I use any hash algorithm, how could this if($row['Password']==$opass) code work? I think $opass and $row['Password'] won't be same.

  • 写回答

1条回答 默认 最新

  • dtzk85937 2012-12-23 23:29
    关注

    Just hash the user inputted password with the equivalent hashing function, and compare that to what you have stored in your database.

    while($row = mysql_fetch_array($result)){
 if($row['Password']==yourOneWayPasswordHashingFunction($opass))
  mysql_query("UPDATE information SET Password='$pass' WHERE Username='$name'");}

    As I mentioned in the comments, use bcrypt. Passwords can be hard, so use this, and then go shopping, in time for xmas too :)

    Also...

    I store user passwords as a plain text in the database. So it's easy to change the password.

    Emphasis mine.

    You should never store plain text passwords, and it's easy to change is not a valid reason. Kudos, however, for recognising the need to do something about it.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 机器学习能否像多层线性模型一样处理嵌套数据
  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效