Php 允许用户更改密码_Php_Database_Mysqli_Sql Update_Change Password

Php 允许用户更改密码

php database

Php 允许用户更改密码,php,database,mysqli,sql-update,change-password,Php,Database,Mysqli,Sql Update,Change Password,我试图允许我的网站的登录用户能够更改他们的密码，然后在我的数据库中更新密码。当我单击submit按钮时，我在where子句中得到“未知列”[username]”。我尝试了很多方法，但似乎都没能奏效。我是一个PHP初学者，所以没有扩展的技能，所以我不确定问题出在哪里。如果有人能帮我，我会很感激的，谢谢 <?php session_start(); require_once ("db_connect.php"); require_once($_SERVER['DOCUMENT_ROOT']

我试图允许我的网站的登录用户能够更改他们的密码，然后在我的数据库中更新密码。当我单击submit按钮时，我在where子句中得到“未知列”[username]”。我尝试了很多方法，但似乎都没能奏效。我是一个PHP初学者，所以没有扩展的技能，所以我不确定问题出在哪里。如果有人能帮我，我会很感激的，谢谢

<?php
session_start();


require_once ("db_connect.php");
require_once($_SERVER['DOCUMENT_ROOT'] . '/functions/functions.php');


$oldpw = ($_POST['oldpw']);
$newpw = ($_POST['newpw']);
$conpw = ($_POST['conpw']);
$currentpw = $_SESSION['password'];

if ($_POST['change'] == 'Change') {
    if ($oldpw && $newpw && $conpw) {
        if ($newpw == $conpw) {
            if ($db_server){
                mysqli_select_db($db_server, $db_database);
                $oldpw = salt($currentpw);
                // check whether username exists 
                $query = "SELECT password FROM users WHERE 'username'= '" . $_SESSION['username'] . "'";
                $result = mysqli_query($db_server, $query);
                if(!$result){
                    $message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
                }else{
                    $newpw = salt($newpw);
                    $query = "UPDATE users SET password = '$newpw' WHERE username = " . $_SESSION['username'] . "";
                    mysqli_query($db_server, $query) or
                            die("Insert failed. " . mysqli_error($db_server));
                    $message = "<p class='message'>Your password has been changed!</p>";
                    // Process further here 
                    mysqli_free_result($result);
                }
            }else{
                    $message = " <p class='message'>Your current password is incorrect.</p>";
            }
        }else{
            $message = "<p class='message'>Your new passwords do not match.</p>";
        }
    }else{
        $message = "<p class='message'>Please fill in all fields.</p>";
    }
}
?>

'placeholder=“当前密码”>

您面临的最初问题是，

$\u SESSION['username']

和

$newpass

的SQL字符串值在SQL字符串中没有正确地单引号引用。有关何时以及如何在SQL语句中引用的详细信息，请参阅

始终在开发代码时启用错误报告。在脚本的顶部：

// Disable this when your code is live...
error_reporting(E_ALL);
ini_set('display_errors', 1);

因此，使用当前代码，引用字符串而不是列名，如下所示

$oldpw = salt($currentpw);

// check whether username exists 
$query = "SELECT password FROM users WHERE username= '" . $_SESSION['username'] . "' AND password='$oldpw'";
//----------------------------------no quotes^^^^^^^--single-quotes^^^^^^^^^^^^^^^^
// Also adds a check that $oldpass is correct!

$result = mysqli_query($db_server, $query);
if(!$result){
    // This is ambiguous. It should probably show an error related to the query, not connection
    $message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
    // This should only be done if a row was returned previously
    // Test with mysqli_num_rows()
    if (mysqli_num_rows($result) > 0) {
      $newpw = salt($newpw);

      // Adds single quotes to the username here too...
      $query = "UPDATE users SET password = '$newpw' WHERE username = '" . $_SESSION['username'] . "'";
      mysqli_query($db_server, $query) or
            die("Insert failed. " . mysqli_error($db_server));
      $message = "<p class='message'>Your password has been changed!</p>";
      // Process further here 
      mysqli_free_result($result);
    }
    else {
       // Username or password was incorrect - do something about that
    }
}

要找出真正的错误，应该使用

echo mysqli\u error（$db\u server）

而不是您的

错误：无法连接…

自定义消息。我猜这是因为用户名

$\u会话['username']

在该查询中没有作为SQL字符串用单引号括起来…字符串必须用引号括起来。还有，为什么要存储密码明文？用户名和

$newpw

的后续

UPDATE

语句也是如此，请参见@CharlotteDunois，密码中有一个

salt（）

函数。我想这是在做一些salt+hash操作。。。

$oldpw = salt($currentpw);

// check whether username exists 
$query = "SELECT password FROM users WHERE username= '" . $_SESSION['username'] . "' AND password='$oldpw'";
//----------------------------------no quotes^^^^^^^--single-quotes^^^^^^^^^^^^^^^^
// Also adds a check that $oldpass is correct!

$result = mysqli_query($db_server, $query);
if(!$result){
    // This is ambiguous. It should probably show an error related to the query, not connection
    $message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
    // This should only be done if a row was returned previously
    // Test with mysqli_num_rows()
    if (mysqli_num_rows($result) > 0) {
      $newpw = salt($newpw);

      // Adds single quotes to the username here too...
      $query = "UPDATE users SET password = '$newpw' WHERE username = '" . $_SESSION['username'] . "'";
      mysqli_query($db_server, $query) or
            die("Insert failed. " . mysqli_error($db_server));
      $message = "<p class='message'>Your password has been changed!</p>";
      // Process further here 
      mysqli_free_result($result);
    }
    else {
       // Username or password was incorrect - do something about that
    }
}

// Prepare the select statement to check username and old password
$stmt = mysqli_prepare($db_server, "SELECT password FROM users WHERE username = ? AND passowrd = ?");
if ($stmt) {
  // Bind parameters and execute it
  $stmt->bind_param('ss', $_SESSION['username'], $oldpw);
  $stmt->execute();

  // num_rows works here too...
  if ($stmt->num_rows > 0) {
    // Ok to update...
    // Prepare another statement for UPDATE
    $stmt2 = mysqli_prepare($db_server, "UPDATE users SET password = ? WHERE username = ?");
    if ($stmt2) {
       // Bind and execute
       $stmt2->bind_param('ss', $newpass, $_SESSION['username']);
       $stmt->execute();
    }
    // Error updating
    else echo mysqli_error($db_server);
  }
}
// Error selecting
else echo mysqli_error($db_server);