Fatal编程技术网
  • php/
  • 忘记密码脚本PHP mysqli数据库

忘记密码脚本PHP mysqli数据库

php mysql email

忘记密码脚本PHP mysqli数据库,php,mysql,email,mysqli,Php,Mysql,Email,Mysqli,嗨,我试图使忘记密码脚本,并成功地完成,但我得到一个问题。在forget.php中,当用户输入电子邮件时,脚本检查数据库中的电子邮件是否匹配,然后将激活码保存在数据库中,并将激活码发送到他的电子邮件地址 收到电子邮件后,点击链接,他需要在resetpass.php中重置密码表单。首先,它会检查激活代码是否与数据库中的代码匹配,如果匹配,则用户将输入新密码,并重置密码,但问题是密码没有更改,输入他的电子邮件的人会更改密码其他人的密码:D。我不知道这个剧本出了什么问题 忘记。php resetpas

嗨,我试图使忘记密码脚本,并成功地完成,但我得到一个问题。在forget.php中,当用户输入电子邮件时,脚本检查数据库中的电子邮件是否匹配,然后将激活码保存在数据库中,并将激活码发送到他的电子邮件地址

收到电子邮件后,点击链接,他需要在resetpass.php中重置密码表单。首先,它会检查激活代码是否与数据库中的代码匹配,如果匹配,则用户将输入新密码,并重置密码,但问题是密码没有更改,输入他的电子邮件的人会更改密码其他人的密码:D。我不知道这个剧本出了什么问题

忘记。php

resetpass.php

我在resetpass.php中有一个bug

您首先必须使用$\u GET['code']获取激活码并将其存储在

这是经过修改的代码,应该可以使用

<?php

if(isset($_POST['pass'])){
$pass = $_POST['pass'];
$acode=$_POST['code'];

$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con)); 

if (mysqli_num_rows ($query)==1) 
{
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con)); 

echo 'Password Changed';
}
else
{
echo 'Wrong CODE';
}
}
?>

<form action="resetpass.php" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit"  name="submit" value="Signup!" />
<input type="hidden" name="code" value="<?php echo $_GET['code'];?>" />
</form>
您需要将操作从resetpass.php更改为resetpass.php?代码=

否则,当您提交表单时,代码将丢失

例如:不是没有错误的

<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");

$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
    $acode = mysqli_real_escape_string($con, $acode);
    $query = mysqli_query($con,"select * from login where activation_code='$acode'")
    or die(mysqli_error($con)); 
    if(mysqli_num_rows($query) == 0) {
        echo "Wrong code";
        die();
    } elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
        $pass = mysqli_real_escape_string($con, $_POST['pass']);
        $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
        or die(mysqli_error($con)); 

        echo 'Password Changed';
    }
}

?>

    <form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
    <p>New Password:</p><input type="password" name="pass" />
    <input type="submit"  name="submit" value="Signup!" />
    </form>
但想想看:

您的代码非常不安全,最好尝试uniqidrand; 使用此代码,两个条目可能获得相同的代码 有人可以尝试所有的代码缺陷
在forget.php中,$code=$\u GET['activation\u code'];是什么??我猜您正在生成随机代码:$code=rand100999$代码=100999兰特;那么,有什么可以阻止任何人通过脚本运行所有的可能性来清除/更改您的所有密码呢?此外,您还提供了登录详细信息mysqli_connectmysql.3gwebhosters.com、u777946695_root、melody、123、u777946695_用户;现在到internet,可能想更改它们。您可以使用mysql\u real\u escape\u string来防止SQL注入攻击:@Ravi mysql\u real\u escape\u string与SQL注入无关attack@Ravi不管它在这里是否相关,您可能希望使用mysqli\u real\u escape\u字符串,因为mysql*命令已被弃用。一些额外的解释可能会有所帮助。 
<?php

if(isset($_POST['pass'])){
$pass = $_POST['pass'];
$acode=$_POST['code'];

$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = mysqli_query($con,"select * from login where activation_code='$acode'")
or die(mysqli_error($con)); 

if (mysqli_num_rows ($query)==1) 
{
$query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
or die(mysqli_error($con)); 

echo 'Password Changed';
}
else
{
echo 'Wrong CODE';
}
}
?>

<form action="resetpass.php" method="POST">
<p>New Password:</p><input type="password" name="pass" />
<input type="submit"  name="submit" value="Signup!" />
<input type="hidden" name="code" value="<?php echo $_GET['code'];?>" />
</form>

<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");

$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
    $acode = mysqli_real_escape_string($con, $acode);
    $query = mysqli_query($con,"select * from login where activation_code='$acode'")
    or die(mysqli_error($con)); 
    if(mysqli_num_rows($query) == 0) {
        echo "Wrong code";
        die();
    } elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
        $pass = mysqli_real_escape_string($con, $_POST['pass']);
        $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
        or die(mysqli_error($con)); 

        echo 'Password Changed';
    }
}

?>

    <form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
    <p>New Password:</p><input type="password" name="pass" />
    <input type="submit"  name="submit" value="Signup!" />
    </form>

<?php
if(isset($_GET['code'])) $acode = $_GET['code'];
else die("No code!");

$con=mysqli_connect("xxx","xxx","xxx","xxx");
// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
} else {
    $acode = mysqli_real_escape_string($con, $acode);
    $query = mysqli_query($con,"select * from login where activation_code='$acode'")
    or die(mysqli_error($con)); 
    if(mysqli_num_rows($query) == 0) {
        echo "Wrong code";
        die();
    } elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
        $pass = mysqli_real_escape_string($con, $_POST['pass']);
        $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
        or die(mysqli_error($con)); 

        echo 'Password Changed';
    }
}

?>

    enter code here
    <form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
    <p>New Password:</p><input type="password" name="pass" />
    <input type="submit"  name="submit" value="Signup!" />
    </form>