Fatal编程技术网
  • php/
  • Php 为什么我的旧密码不会更改为新密码

Php 为什么我的旧密码不会更改为新密码

php mysql sql

Php 为什么我的旧密码不会更改为新密码,php,mysql,sql,Php,Mysql,Sql,这是我的成员表密码都在md5中 ID username password 100 alex alex 这是我的changepassword.php <?php session_start(); $conn = mysql_connect("localhost","root","password"); mysql_select_db("lecturer",$conn); $myid = $_GET["myid"]; if(count($_POST)>0) { $res

这是我的成员表密码都在md5中

ID username password
100  alex     alex
这是我的changepassword.php

<?php
session_start();

$conn = mysql_connect("localhost","root","password");
mysql_select_db("lecturer",$conn);
$myid = $_GET["myid"];
if(count($_POST)>0) {
  $result = mysql_query("SELECT * from members WHERE ID=' . $myid . '");
  $row=mysql_fetch_array($result);
  if (md5($_POST["currentPassword"]) == md5($row["password"])) {
    mysql_query("UPDATE members set password='" . $_POST["newPassword"] . "' WHERE ID=' . $myid . '");
    $message = "Password Changed";
  } else $message = "Current Password is not correct";
}

?>
<html>
<head>
<title>Change Password</title>
<link rel="stylesheet" type="text/css" href="styles.css" />
<script>
function validatePassword() {
  var currentPassword,newPassword,confirmPassword,output = true;

  currentPassword = document.frmChange.currentPassword;
  newPassword = document.frmChange.newPassword;
  confirmPassword = document.frmChange.confirmPassword;

  if(!currentPassword.value) {
    currentPassword.focus();
    document.getElementById("currentPassword").innerHTML = "required";
    output = false;
  }
  else if(!newPassword.value) {
    newPassword.focus();
    document.getElementById("newPassword").innerHTML = "required";
    output = false;
  }
  else if(!confirmPassword.value) {
    confirmPassword.focus();
    document.getElementById("confirmPassword").innerHTML = "required";
    output = false;
  }
  if(newPassword.value != confirmPassword.value) {
    newPassword.value="";
    confirmPassword.value="";
    newPassword.focus();
    document.getElementById("confirmPassword").innerHTML = "not same";
    output = false;
  }     
  return output;
}
</script>
</head>
<body>
<form name="frmChange" method="post" action="" onSubmit="return validatePassword()">
<div style="width:500px;">
<div class="message"><?php if(isset($message)) { echo $message; } ?></div>
<table border="0" cellpadding="10" cellspacing="0" width="500" align="center" class="tblSaveForm">
<tr class="tableheader">
<td colspan="2">Change Password</td>
</tr>
<tr>
<td width="40%"><label>Current Password</label></td>
<td width="60%"><input type="password" name="currentPassword" class="txtField"/><span id="currentPassword"  class="required"></span></td>
</tr>
<tr>
<td><label>New Password</label></td>
<td><input type="password" name="newPassword" class="txtField"/><span id="newPassword" class="required"></span></td>
</tr>
<td><label>Confirm Password</label></td>
<td><input type="password" name="confirmPassword" class="txtField"/><span id="confirmPassword" class="required"></span></td>
</tr>
<tr>
<td colspan="2"><input type="submit" name="submit" value="Submit" class="btnSubmit"></td>
</tr>
</table>
</div>
</form>
</body></html>

仅限使用

==($row[“密码])){


因为您存储的密码已经被编码了
$\u POST[“newPassword”]
是加密的还是以纯文本形式存储的?简单地问一下,如果您表中的密码已经以md5格式存储,为什么这一行
if(md5($\u POST[“currentPassword”]==md5($row[“password”])
?它应该是
if(md5($\u POST[“currentPassword”])==$row[“password”])
您有一个sql注入漏洞。我很抱歉地告诉您,您的代码出了问题。您并没有真正存储散列密码,而是以一种毫无意义的方式比较密码散列。您有一个巨大的sql注入问题,您使用mysql而不是mysqli或PDO,并且您不会捕获sql查询中的错误。这必须从从一开始,为什么会解决这个问题?