2013-09-23 135 views
4

我用下面的代碼來更新我的數據庫中的密碼和鹽田:數據庫沒有更新 - PHP PDO

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

$id = $_GET[id]; 

// This if statement checks to determine whether the registration form has been submitted 
// If it has, then the registration code is run, otherwise the form is displayed 
if(!empty($_POST)) 
{ 
    // Ensure that the user has entered a non-empty password 
    if(empty($_POST['password'])) 
    { 
     die("Please enter a password."); 
    } 

    // Ensure that the user has entered a non-empty username 
    if(empty($_POST['confirmpassword'])) 
    { 
     // Note that die() is generally a terrible way of handling user errors 
     // like this. It is much better to display the error with the form 
     // and allow the user to correct their mistake. However, that is an 
     // exercise for you to implement yourself. 
     die("Please confirm your password."); 
    } 

    if ($_POST["password"] == $_POST["confirmpassword"]) { 

     // An INSERT query is used to add new rows to a database table. 
     // Again, we are using special tokens (technically called parameters) to 
     // protect against SQL injection attacks. 
     $query = "UPDATE Staff SET password=:password, salt=:salt WHERE id=:id"; 

     // A salt is randomly generated here to protect again brute force attacks 
     // and rainbow table attacks. The following statement generates a hex 
     // representation of an 8 byte salt. Representing this in hex provides 
     // no additional security, but makes it easier for humans to read. 
     $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

     // This hashes the password with the salt so that it can be stored securely 
     // in your database. The output of this next statement is a 64 byte hex 
     // string representing the 32 byte sha256 hash of the password. The original 
     // password cannot be recovered from the hash. 
     $password = hash('sha256', $_POST['password'] . $salt); 

     // Next we hash the hash value 65536 more times. The purpose of this is to 
     // protect against brute force attacks. Now an attacker must compute the hash 65537 
     // times for each guess they make against a password, whereas if the password 
     // were hashed only once the attacker would have been able to make 65537 different 
     // guesses in the same amount of time instead of only one. 
     for($round = 0; $round < 65536; $round++) 
     { 
      $password = hash('sha256', $password . $salt); 
     } 

     try 
     { 
      // Execute the query to create the user 
      $stmt = $db->prepare($query); 
      $stmt->execute(array(
      ':password' => $password, 
      ':salt' => $salt, 
      ':id' => $id)); 


     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die("Failed to run query: " . $ex->getMessage()); 
     } 

     // This redirects the user back to the login page after they register 
     header("Location: login.php"); 

    } 

    die("Passwords do not match."); 
} 

有數據庫中的「ID」字段,和工作人員中的一員id等於1(前一頁上的鏈接將id傳遞給此頁面,在此示例中id爲1)。我不知道爲什麼它不更新數據庫。我是新來的PHP,並會愛任何幫助。

謝謝, 喬

+1

你得到的錯誤信息是什麼? – Maximus2012

+4

'$ id = $ _GET [id];'應該是'$ id = $ _GET ['id'];' – hjpotter92

+1

請使用真正的密碼哈希算法,例如PHP提供的''password_hash()'函數。 'sha256'不適合密碼散列。 – SamT

回答

1

語法不正確,你想用調用$id

$id = $_GET['id']; 
+0

我更新了代碼,但它仍未更新數據庫。謝謝 – JoeMorgan

+1

不應該是'$ id = $ _GET ['id'];'? – Oriol

+0

gah!是的,如果我不惹我自己的答案有幫助! – NickW

1

我覺得當你做execute(array)blah它把所有的變量作爲字符串,所以使用

http://www.php.net/manual/en/pdostatement.bindparam.php

$stmt ->bindParam(':password', $password, PDO::PARAM_STR) 
$stmt ->bindParam(':salt', $salt, PDO::PARAM_STR) 
$stmt ->bindParam(':id', $id, PDO::PARAM_INT) 
$stmt ->execute();