使用php和MySQL创建密码重置页面的困难
下午好 我正在尝试使用php创建一个密码重置页面。单击重置按钮后,我会收到密码重置成功消息,但我的数据库没有任何更改 任何帮助都将不胜感激使用php和MySQL创建密码重置页面的困难,php,mysql,Php,Mysql,下午好 我正在尝试使用php创建一个密码重置页面。单击重置按钮后,我会收到密码重置成功消息,但我的数据库没有任何更改 任何帮助都将不胜感激 使用 因为没有查询,您只是准备了sql格式,没有将其发送到数据库。我想让您看看这里的这段代码 if (($_POST['newpassword'] == $_POST['confirmnewpassword'])) { $newpass=password_hash($_POST['confirmnewpassword'], PASSWORD_
使用
因为没有查询,您只是准备了sql格式,没有将其发送到数据库。我想让您看看这里的这段代码
if (($_POST['newpassword'] == $_POST['confirmnewpassword'])) {
$newpass=password_hash($_POST['confirmnewpassword'], PASSWORD_BCRYPT);
$sql = "UPDATE accounts SET userPassword='$newpass' WHERE
userEmail='$email'";
$_SESSION['message'] = 'Password reset successful';
}
在这里,$sql变量包含一个sql语句,即一个纯文本字符串,当前不执行任何操作,您必须执行它,就像执行上面的select查询一样
if ($mysqli->query($sql) === TRUE) {
$_SESSION['message'] = 'Password reset successful';
} else {
$_SESSION['message'] = "Error updating record: " . $mysqli->error;
}
取自
另外,如果这是端点的全部范围,那么应该记住关闭连接,调用mysqli类实例的close方法
最后但并非最不重要的一点是,我强烈建议您不要使用类名(mysqli)作为实例名($mysqli),这仅仅是为了良好的实践
编辑:
收到的评论确实是正确的,我的回答在这一点上很差,所以让我们考虑一些事情
您应该使用准备好的语句,而不是直接向sql查询抛出变量,足够聪明的人可以使用这些语句将sql语句注入到您的数据库中
如果我错了,请纠正我,但这样做会更安全:
//Email select query part
$email= $mysqli->real_escape_string($_SESSION['email']);
$stmt = $mysqli->prepare("SELECT * FROM accounts WHERE userEmail=(?)")
if (!$stmt->bind_param("s", mysqli->$email)) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
//handle error code, disrupt execution...
}
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
//handle error code, disrupt execution...
}
//Update part
$newpass=password_hash(
$mysqli->real_escape_string($_POST['confirmnewpassword']),
PASSWORD_BCRYPT);
$stmt = mysqli->prepare("UPDATE accounts SET userPassword=(?) WHERE
userEmail=(?)");
if (!$stmt->bind_param("ss", $newpass,$email)) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
//handle error code, disrupt execution...
}
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
//handle error code, disrupt execution...
}
$_SESSION['message'] = 'Password reset successful';
现在我确信这可以用更有效的方式进行重构,但我希望我能帮助OP了解他的代码有什么问题您忘记运行密码更新查询了:
因此,插入以下内容:
$updated = $mysqli->query($sql) or die($mysqli->error);
在此之后:
$sql = "UPDATE accounts SET userPassword='$newpass' WHERE userEmail='$email'";
编辑1-如何使用mysqli库准备和运行查询:
选项1:使用mysqli\u stmt\u get\u result()
+mysqli\u fetch\u array()
:
<?php
/*
* Run prepared db queries.
*
* Uses:
* - mysqli_prepare()
* - mysqli_stmt_bind_param()
* - mysqli_stmt_execute()
* - mysqli_stmt_get_result()
* - mysqli_fetch_array()
*/
try {
$username = 'Hello';
$password = 'World';
//---------------------------------------------------------
// Connect to db.
//---------------------------------------------------------
$conn = mysqli_connect('<host>', '<user>', '<pass>', '<db>');
if (!$conn) {
throw new Exception('Connect error: ' . mysqli_connect_errno() . ' - ' . mysqli_connect_error());
}
//---------------------------------------------------------
// Sql statement.
//---------------------------------------------------------
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
//---------------------------------------------------------
// Prepare sql statement.
//---------------------------------------------------------
$stmt = mysqli_prepare($conn, $query);
if (!$stmt) {
throw new Exception('The sql statement can not be prepared!');
}
//---------------------------------------------------------
// Bind variables to the prepared statement as parameters.
//---------------------------------------------------------
$bound = mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
if (!$bound) {
throw new Exception('The variables could not be bound to the prepared statement!');
}
//---------------------------------------------------------
// Execute the prepared statement.
//---------------------------------------------------------
$executed = mysqli_stmt_execute($stmt);
if (!$executed) {
throw new Exception('The prepared statement could not be executed!');
}
//---------------------------------------------------------
// Get the result set from the prepared statement.
//---------------------------------------------------------
$result = mysqli_stmt_get_result($stmt);
if (!$result) {
throw new Exception(mysqli_error($conn));
}
//---------------------------------------------------------
// Get the number of rows in statements result set.
//---------------------------------------------------------
$rows = mysqli_num_rows($result);
if ($rows > 0) {
//---------------------------------------------------------
// Read the result set.
//---------------------------------------------------------
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
if (!isset($row)) {
echo 'No records returned!';
exit();
}
echo 'Login successful: ' . $row['username'] . '/' . $row['password'];
} else {
echo 'Invalid username/password. Please check and retry login.';
}
//-----------------------------------------------------------
// Frees stored result memory for the given statement handle.
//-----------------------------------------------------------
mysqli_stmt_free_result($stmt);
//---------------------------------------------------------
// Close db connection.
//---------------------------------------------------------
$closed = mysqli_close($conn);
if (!$closed) {
throw new Exception('The database connection can not be closed!');
}
} catch (Exception $exception) {
echo '<pre>' . print_r($exception, true) . '</pre>';
exit();
}
';
退出();
}
没有好处:
试图将
mysqli\u stmt\u store\u result()mysqli\u stmt\u get\u result()$\u会话(“电子邮件”)$\u会话['email']$\u会话(“电子邮件”)的完整答案。由于OP使用mysqli,您可以添加准备好的语句“如果我错了,请纠正我”-会话是您包含的数组$\u会话('email')
仍然被视为一个函数()
,而不是数组[]
。查阅有关超全局的手册,userEmail=(?)
中的括号是不必要的。它已经被回答了,我可能会添加很多次;你迟到了一点。你也错过了一些重要的东西。@Fred ii-谢谢,我也在编辑后看到了。我忘了什么?请重新检查他们的代码和问题下的注释;-)@弗雷德二世-我会的,我很好奇:-)一点线索:超球体不是“函数”,它们是一个“数组”;-)编辑:如果这是他们的真实语法,那么它就是电子邮件的会话数组。
<?php
/*
* Run prepared db queries.
*
* Uses:
* - mysqli_prepare()
* - mysqli_stmt_bind_param()
* - mysqli_stmt_execute()
* - mysqli_stmt_get_result()
* - mysqli_fetch_array()
*/
try {
$username = 'Hello';
$password = 'World';
//---------------------------------------------------------
// Connect to db.
//---------------------------------------------------------
$conn = mysqli_connect('<host>', '<user>', '<pass>', '<db>');
if (!$conn) {
throw new Exception('Connect error: ' . mysqli_connect_errno() . ' - ' . mysqli_connect_error());
}
//---------------------------------------------------------
// Sql statement.
//---------------------------------------------------------
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
//---------------------------------------------------------
// Prepare sql statement.
//---------------------------------------------------------
$stmt = mysqli_prepare($conn, $query);
if (!$stmt) {
throw new Exception('The sql statement can not be prepared!');
}
//---------------------------------------------------------
// Bind variables to the prepared statement as parameters.
//---------------------------------------------------------
$bound = mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
if (!$bound) {
throw new Exception('The variables could not be bound to the prepared statement!');
}
//---------------------------------------------------------
// Execute the prepared statement.
//---------------------------------------------------------
$executed = mysqli_stmt_execute($stmt);
if (!$executed) {
throw new Exception('The prepared statement could not be executed!');
}
//---------------------------------------------------------
// Get the result set from the prepared statement.
//---------------------------------------------------------
$result = mysqli_stmt_get_result($stmt);
if (!$result) {
throw new Exception(mysqli_error($conn));
}
//---------------------------------------------------------
// Get the number of rows in statements result set.
//---------------------------------------------------------
$rows = mysqli_num_rows($result);
if ($rows > 0) {
//---------------------------------------------------------
// Read the result set.
//---------------------------------------------------------
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
if (!isset($row)) {
echo 'No records returned!';
exit();
}
echo 'Login successful: ' . $row['username'] . '/' . $row['password'];
} else {
echo 'Invalid username/password. Please check and retry login.';
}
//-----------------------------------------------------------
// Frees stored result memory for the given statement handle.
//-----------------------------------------------------------
mysqli_stmt_free_result($stmt);
//---------------------------------------------------------
// Close db connection.
//---------------------------------------------------------
$closed = mysqli_close($conn);
if (!$closed) {
throw new Exception('The database connection can not be closed!');
}
} catch (Exception $exception) {
echo '<pre>' . print_r($exception, true) . '</pre>';
exit();
}
<?php
/*
* Run prepared db queries.
*
* Uses:
* - mysqli_prepare()
* - mysqli_stmt_bind_param()
* - mysqli_stmt_execute()
* - mysqli_stmt_store_result()
* - mysqli_stmt_bind_result()
* - mysqli_stmt_fetch()
*/
try {
$username = 'Hello';
$password = 'World';
//---------------------------------------------------------
// Connect to db.
//---------------------------------------------------------
$conn = mysqli_connect('<host>', '<user>', '<pass>', '<db>');
if (!$conn) {
throw new Exception('Connect error: ' . mysqli_connect_errno() . ' - ' . mysqli_connect_error());
}
//---------------------------------------------------------
// Sql statement.
//---------------------------------------------------------
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
//---------------------------------------------------------
// Prepare sql statement.
//---------------------------------------------------------
$stmt = mysqli_prepare($conn, $query);
if (!$stmt) {
throw new Exception('The sql statement can not be prepared!');
}
//---------------------------------------------------------
// Bind variables to the prepared statement as parameters.
//---------------------------------------------------------
$bound = mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
if (!$bound) {
throw new Exception('The variables could not be bound to the prepared statement!');
}
//---------------------------------------------------------
// Execute the prepared statement.
//---------------------------------------------------------
$executed = mysqli_stmt_execute($stmt);
if (!$executed) {
throw new Exception('The prepared statement could not be executed!');
}
//---------------------------------------------------------
// Transfer the result set from the prepared statement.
//---------------------------------------------------------
$stored = mysqli_stmt_store_result($stmt);
if (!$stored) {
throw new Exception('The result set from the prepared statement could not be transfered!');
}
//---------------------------------------------------------
// Get the number of rows in statements' result set.
//---------------------------------------------------------
$rows = mysqli_stmt_num_rows($stmt);
if ($rows > 0) {
//---------------------------------------------------------
// Bind result set columns to corresponding variables.
//---------------------------------------------------------
$bound = mysqli_stmt_bind_result($stmt, $resId, $resUsername, $resPassword);
if (!$bound) {
throw new Exception('The result set columns could not be bound to the variables');
}
//--------------------------------------------------------------------
// Fetch results from the prepared statement into the bound variables.
//--------------------------------------------------------------------
while (mysqli_stmt_fetch($stmt)) {
echo 'Successfully returned data:<br/><br/>';
echo 'ID: ' . $resId . '<br/>';
echo 'Username: ' . $resUsername . '<br/>';
echo 'Password: ' . $resPassword . '<br/>';
}
} else {
echo 'Invalid username/password. Please check and retry login!';
}
//-----------------------------------------------------------
// Free stored result memory for the given statement handle.
//-----------------------------------------------------------
mysqli_stmt_free_result($stmt);
//---------------------------------------------------------
// Close db connection.
//---------------------------------------------------------
$closed = mysqli_close($conn);
if (!$closed) {
throw new Exception('The database connection can not be closed!');
}
} catch (Exception $exception) {
echo '<pre>' . print_r($exception, true) . '</pre>';
exit();
}