我希望有一个标准的类/ PHP脚本,我们可以用于"忘记密码"功能.似乎几乎每个网站都有一个,我想减少它的开发时间.
似乎常见的方法是:
单击忘记密码
用户通过电子邮件收到"重置密码"链接
点击链接可以输入"新密码""重新输入密码"
生活很好
我不想从头开始,希望有人思考过任何细微差别,可以指出我已有的代码.这似乎是一个非常标准化的.
全部:得到了一些回复,但我希望有人可以推荐一个符合普遍接受的安全准则的相当标准的类或CMS.
我使用自己的脚本进行密码重置.
我创建了一个表来存储user_id,一个随机密钥和密码重置启动的时间:
// query is my own SQLite3 wrapper function which ensures I have a valid database connection then executes the SQL.
// I would imagine small changes will be needed to the SQL for MY SQL.
query("create table reset_password (user_id integer not null default 0, key text not null default '', time integer not null default 0)");
query("create unique index reset_password_user_id on reset_password (user_id)");
query("create index reset_password_key on reset_password (key)");
然后,当需要重置密码时,将调用以下代码:
// $user_id must be an integer that matches a valid user's ID.
function reset_password($user_id) {
query("delete from reset_password where user_id = $user_id");
$key = substr(base64_encode(crypt('', '')), 0, 32);
query("insert into reset_password values ($user_id, '$key', " . time() . ")");
// fetch is my own wrapper function to fetch a row from the query.
$f = fetch(query("select username from users where id = $user_id"));
// smtp is my own function, you will probably want to use the php mail function.
smtp(
"do-not-reply@example.com", // sender
$f['username'], // recepient
"From: The example.com Web Site \r\n" . // email headers
"To: {$f['username']} <{$f['username']}>\r\n" . // actual email address
'Subject: Reset Password' . "\r\n" .
"\r\n" .
"Hello\r\n" . // email body
"\r\n" .
"A request has been made to reset your example.com web site password.\r\n" .
"\r\n" .
"To complete the request, click on the following link within 48 hours of the transmision of this email and follow the on screen instructions.\r\n" .
"\r\n" .
/// URL is defined as the root of the URL used in the email, in this example it would be "http://example.com/"
URL . "index.php?page=reset-password&user_id=" . urlencode($user_id) . "&key=" . urlencode($key) . "\r\n" .
"\r\n" .
"Kind regards,\r\n" .
"\r\n" .
"The example.com Web Site"
);
}
单击电子邮件中的链接时,将显示包含以下内容的页面:
// form, input_hidden, table, tr, td, label, input_password and input_submit are my own wrappers which return the appropriate HTML with escaped values where required.
echo
form('reset-password/ok',
input_hidden('user_id', $_GET['user_id']) .
input_hidden('key', $_GET['key']) .
table(
tr(
td(label('New Password')) .
td(input_password('new_password', ''))
) .
tr(
td(label('Confirm Password')) .
td(input_password('confirm_password', ''))
)
) .
input_submit('ok', 'OK')
);
提交上述表单后,执行以下操作:
// The reset_password_message function displays the message to the user.
if (!isset($_POST['user_id'])) {
reset_password_message('You must enter a user ID. Please try again.');
} else if (!isset($_POST['key'])) {
reset_password_message('You must enter a key. Please try again.');
} else if (!isset($_POST['new_password']) || !$_POST['new_password']) {
reset_password_message('You must enter a new password. Please try again');
} else if (!isset($_POST['confirm_password']) || $_POST['new_password'] != $_POST['confirm_password']) {
reset_password_message('The new password and the confirmation do not match. Please try again.');
} else if (!$f = fetch(query("select time from reset_password where user_id = " . (integer)$_POST['user_id'] . " and key = '" . escape($_POST['key']) . "'"))) {
reset_password_message('The user ID and key pair are invalid. Please try again.');
} else if ($f['time'] < time() - 60 * 60 * 24 * 2) { // 60 seconds * 60 minutes * 24 hours * 2 days (48 hours as explained in the email sent to the user above).
reset_password_message('The user ID and key pair have expired. Please try again.');
} else {
query("update users set password = '" . crypt($_POST['new_password']) . "' where id = " . (integer)$_POST['user_id']);
reset_password_message('Your password has been reset. Please login.');
}
我们欢迎您使用此代码而不是"自己动手",但您需要进行一些更改或添加一些功能才能完成.
京公网安备 11010802040832号 | 京ICP备19059560号-6 