pve*_*tah 0 php mysql forgot-password
有人帮我处理我的代码.我创建了一个包含当前密码,新密码和确认密码的编辑密码页面.这是我的代码:
edit_password.php
<form action="editpassword_process.php" method="post">
<table>
<tr class="form-group has-feedback has-success">
<td><h4>Current Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="currentpassword" name="currentpassword"></div></td> <!-- class="input-sm" required -->
<td><span id="messagebox"></span></td>
</tr>
<tr>
<td><h4>New Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword1" name="newpassword1"></div></td> <!-- required class="input-sm" -->
</tr>
<tr>
<td><h4>Confirm Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword2" name="newpassword2" onKeyUp="checkPass(); return false;"></div></td> <!-- required class="input-sm" -->
<span id="confirmMessage" class="confirmMessage"></span>
</tr>
</table>
<button class="btn btn-info">Submit</button>
</form>
这是我的editpassword_process.php代码
<?php
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
$res = mysql_query("SELECT user_password FROM `tbl_userlist` WHERE userid = '".$_SESSION['userid']."'");
if($currentpw != mysql_result($res, 0)){
echo "You entered an incorrect password";
}
if($newpw = $confirmnewpw){
$sql = mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'");
}
if($sql){
echo "You have successfully changed your password";
}
else{
echo "The new password and confirm pasword fields must be the same";
}
?>
当我单击提交时,它会显示一个警告,显示Validated OK,但我的数据库没有更新.
先感谢您
您的代码有一些问题,但我会从为什么您的用户密码没有更新开始.您还没有在代码中的任何位置启动会话.在您使用会话的任何地方,您需要启动它们:
session_start();
这应该是您在打开<?php标签后首先要做的事情.
你在许多比较块中分配(=)而不是比较(==)if(){..,这些将评估TRUE,运行条件.
现在还不错,你正在使用一个已弃用的库.mysql_*从PHP7开始,不推荐使用所有函数并将其删除.通过学习这两个库中的任何一个,最好先走出曲线球:
它们中的任何一个都可以缓解您在当前易受攻击的代码中遇到的任何SQL注入.更不用说你用纯文本存储密码了.想象一下,当你的数据库遭到黑客攻击时(不是 如果)会产生影响,我希望这不是一个生产环境.
PHP使得密码哈希变得非常简单,只需查看:
他们会整理你的密码哈希.
为了简化您正在做的事情,这将是一个PDO示例以及您的密码散列,以向您展示实现您尝试执行的操作是多么简单:
<?php
session_start();
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
// start your PDO object
$db = new PDO('mysql:host=localhost;dbname=DATABASE', 'username','password');
$statement = $db->prepare("SELECT user_password FROM `tbl_userlist` WHERE userid = :userid");
$statement->execute(array(':userid' => $_SESSION['userid']));
// check if we have a row
if ($statement->rowCount() > 0) {
$data = $statement->fetch(PDO::FETCH_ASSOC);
$current_password_hash = $data['user_password'];
// check current password is correct.
if (!password_verify($currentpw, $current_password_hash)) {
// wrong "current" password.
die("You entered an incorrect password");
}
// check that both passwords match.
if (trim($confirmnewpw) !== trim($newpw)) {
// new passwords dont match
die("The new password and confirm pasword fields must be the same");
}
// can only get here if passwords match.
// so hash the new password and store in the database.
$newpwhash = password_hash(trim($confirmnewpw), PASSWORD_BCRYPT, array('cost' => 11));
// now lets update table to add new password hash.
$update = $db->prepare("UPDATE tbl_userlist SET user_password = :newpwhash WHERE userid = :userid");
if($update->execute(array(':newpwhash' => $newpwhash, ':userid' => $_SESSION['userid']))) {
// password updated successfully.
die("You have successfully changed your password");
} else {
// failed to update, check logs to ammend.
die('Failed to update password.');
}
} else {
// wrong "current" password.
die("No password found for you...");
}
毋庸置疑,这意味着您还必须更改登录过程,但这很简单.您需要做的就是获取密码和线束password_verify(),瞧,您已经排序了.
(更不用说,更安全了.)
| 归档时间: |
|
| 查看次数: |
264 次 |
| 最近记录: |