忘记密码脚本PHP mysqli数据库
嗨,我试图使忘记密码脚本,并成功地完成,但我得到一个问题。在forget.php中,当用户输入电子邮件时,脚本检查数据库中的电子邮件是否匹配,然后将激活码保存在数据库中,并将激活码发送到他的电子邮件地址 收到电子邮件后,点击链接,他需要在resetpass.php中重置密码表单。首先,它会检查激活代码是否与数据库中的代码匹配,如果匹配,则用户将输入新密码,并重置密码,但问题是密码没有更改,输入他的电子邮件的人会更改密码其他人的密码:D。我不知道这个剧本出了什么问题 忘记。php resetpass.php 我在resetpass.php中有一个bug 您首先必须使用$\u GET['code']获取激活码并将其存储在 这是经过修改的代码,应该可以使用忘记密码脚本PHP mysqli数据库,php,mysql,email,mysqli,Php,Mysql,Email,Mysqli,嗨,我试图使忘记密码脚本,并成功地完成,但我得到一个问题。在forget.php中,当用户输入电子邮件时,脚本检查数据库中的电子邮件是否匹配,然后将激活码保存在数据库中,并将激活码发送到他的电子邮件地址 收到电子邮件后,点击链接,他需要在resetpass.php中重置密码表单。首先,它会检查激活代码是否与数据库中的代码匹配,如果匹配,则用户将输入新密码,并重置密码,但问题是密码没有更改,输入他的电子邮件的人会更改密码其他人的密码:D。我不知道这个剧本出了什么问题 忘记。php resetpas
<?php
if(isset($_POST['pass'])){
$pass = $_POST['pass'];
$acode=$_POST['code'];
$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con));
if (mysqli_num_rows ($query)==1)
{
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con));
echo 'Password Changed';
}
else
{
echo 'Wrong CODE';
}
}
?>
<form action="resetpass.php" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit" name="submit" value="Signup!" />
<input type="hidden" name="code" value="<?php echo $_GET['code'];?>" />
</form>
您需要将操作从resetpass.php更改为resetpass.php?代码= 否则,当您提交表单时,代码将丢失 例如:不是没有错误的
<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");
$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
$acode = mysqli_real_escape_string($con, $acode);
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con));
if(mysqli_num_rows($query) == 0) {
echo "Wrong code";
die();
} elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
$pass = mysqli_real_escape_string($con, $_POST['pass']);
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con));
echo 'Password Changed';
}
}
?>
<form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit" name="submit" value="Signup!" />
</form>
但想想看:
您的代码非常不安全,最好尝试uniqidrand;
使用此代码,两个条目可能获得相同的代码
有人可以尝试所有的代码缺陷
在forget.php中,$code=$\u GET['activation\u code'];是什么??我猜您正在生成随机代码:$code=rand100999$代码=100999兰特;那么,有什么可以阻止任何人通过脚本运行所有的可能性来清除/更改您的所有密码呢?此外,您还提供了登录详细信息mysqli_connectmysql.3gwebhosters.com、u777946695_root、melody、123、u777946695_用户;现在到internet,可能想更改它们。您可以使用mysql\u real\u escape\u string来防止SQL注入攻击:@Ravi mysql\u real\u escape\u string与SQL注入无关attack@Ravi不管它在这里是否相关,您可能希望使用mysqli\u real\u escape\u字符串,因为mysql*命令已被弃用。一些额外的解释可能会有所帮助。
<?php
if(isset($_POST['pass'])){
$pass = $_POST['pass'];
$acode=$_POST['code'];
$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con));
if (mysqli_num_rows ($query)==1)
{
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con));
echo 'Password Changed';
}
else
{
echo 'Wrong CODE';
}
}
?>
<form action="resetpass.php" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit" name="submit" value="Signup!" />
<input type="hidden" name="code" value="<?php echo $_GET['code'];?>" />
</form>
<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");
$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
$acode = mysqli_real_escape_string($con, $acode);
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con));
if(mysqli_num_rows($query) == 0) {
echo "Wrong code";
die();
} elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
$pass = mysqli_real_escape_string($con, $_POST['pass']);
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con));
echo 'Password Changed';
}
}
?>
<form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit" name="submit" value="Signup!" />
</form>
<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");
$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
$acode = mysqli_real_escape_string($con, $acode);
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con));
if(mysqli_num_rows($query) == 0) {
echo "Wrong code";
die();
} elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
$pass = mysqli_real_escape_string($con, $_POST['pass']);
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con));
echo 'Password Changed';
}
}
?>
enter code here
<form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit" name="submit" value="Signup!" />
</form>