Php 重置密码确认无法正常工作?
如果我把它放在user_id=3的位置,或者当我删除where语句(where user_id=“.user['user_id']),但随后数据库中的所有密码都会更改,那么它就可以工作了 我使用get方法来获取这样的用户ID 用户id=3&重置令牌=xxxxxxxxxPhp 重置密码确认无法正常工作?,php,mysql,pdo,Php,Mysql,Pdo,如果我把它放在user_id=3的位置,或者当我删除where语句(where user_id=“.user['user_id']),但随后数据库中的所有密码都会更改,那么它就可以工作了 我使用get方法来获取这样的用户ID 用户id=3&重置令牌=xxxxxxxxx <?php if( isset($_GET['user_id']) && isset($_GET['reset_token']) ) { $userid = $_GET['user_id']; $rese
<?php
if( isset($_GET['user_id']) && isset($_GET['reset_token']) ) {
$userid = $_GET['user_id'];
$reset_token = $_GET['reset_token'];
// Make sure user email with matching hash exist
$req = $heidisql->prepare("SELECT * FROM users WHERE user_id='$userid' AND reset_token='$reset_token' ");
$req->execute($userid, $reset_token );
$user = $req->fetch(PDO::FETCH_ASSOC);
if ($user) {
if (!preg_match ('%\A(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{8,30}\z%', $_POST['new_pass'])
|| $_POST['new_pass'] !== $_POST['confirm_newpass'] ) {
echo 'Your new password did not match the new confirm password or is invalid!';
exit();
}
}
} else {
$newpassword = escape_data($_POST['new_pass']);
$newpass_hash = password_hash($newpassword, PASSWORD_BCRYPT);
$sql= "UPDATE users SET "
. "password_hashcode='$newpass_hash', "
. "reset_allocated_time=NULL, "
. "reset_token=NULL "
. "WHERE user_id=".$user['user_id']." "; //<- error here
// Make sure user email with matching hash exist
$result_newpass = $heidisql->prepare($sql);
$result_newpass->execute();
echo "Your password has been reset!";
exit();
}
-我认为问题可能在于get方法,因为我似乎无法正确访问URL中的用户\u id/reset\u令牌?
…localhost/example/reset\u pass.php?user\u id=xx&reset\u token=xxxxxxxxx
<?php
if( isset($_GET['user_id']) && isset($_GET['reset_token']) ) {
$userid = $_GET['user_id'];
$reset_token = $_GET['reset_token'];
// Make sure user email with matching hash exist
$req = $heidisql->prepare("SELECT * FROM users WHERE user_id='$userid' AND reset_token='$reset_token' ");
$req->execute($userid, $reset_token );
$user = $req->fetch(PDO::FETCH_ASSOC);
if ($user) {
if (!preg_match ('%\A(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{8,30}\z%', $_POST['new_pass'])
|| $_POST['new_pass'] !== $_POST['confirm_newpass'] ) {
echo 'Your new password did not match the new confirm password or is invalid!';
exit();
}
}
} else {
$newpassword = escape_data($_POST['new_pass']);
$newpass_hash = password_hash($newpassword, PASSWORD_BCRYPT);
$sql= "UPDATE users SET "
. "password_hashcode='$newpass_hash', "
. "reset_allocated_time=NULL, "
. "reset_token=NULL "
. "WHERE user_id=".$user['user_id']." "; //<- error here
// Make sure user email with matching hash exist
$result_newpass = $heidisql->prepare($sql);
$result_newpass->execute();
echo "Your password has been reset!";
exit();
}
- 我在用户id处得到未定义的变量
- 是否有人知道导致我的密码验证也不起作用的问题
$req = $heidisql->prepare(
"SELECT * FROM users WHERE user_id='$userid'
AND reset_token='$reset_token' "
);
$req->execute($userid, $reset_token );
致:
再往下看,你有:
$newpassword = escape_data($_POST['new_pass']);
$newpass_hash = password_hash($newpassword, PASSWORD_BCRYPT);
在散列之前更改密码(转义)可能是个坏主意。把它搞糟;结果将是安全的使用。如果您的转义功能在将来发生更改,则更改该密码可能会导致无法识别用户的真实密码
接下来,您应该更改:
$sql= "UPDATE users SET password_hashcode='$newpass_hash',"
. "reset_allocated_time=NULL, reset_token=NULL "
. "WHERE user_id=".$user['user_id']." "; //<- error here
$result_newpass = $heidisql->prepare($sql);
$result_newpass->execute();
$sql=“更新用户设置密码\u hashcode='$newpass\u hash',”
. 重置\u分配的\u时间=NULL,重置\u令牌=NULL
. “其中user_id=“.$user['user_id']”//准备($sql);
$result_newpass->execute();
致:
$sql=“更新用户设置密码\u hashcode=:newpass,”
. 重置\u分配的\u时间=NULL,重置\u令牌=NULL
. “其中用户_id=:id”//准备($sql);
$result\u newpass->execute([':newpass'=>$newpass\u hash':id'=>$userid]);
从此处更新此$sql
:
$sql = "UPDATE users SET
password_hashcode = '$newpass_hash',
reset_allocated_time = NULL,
reset_token = NULL
WHERE user_id = '$user['user_id']'";
因此,用户id存储在$userid中,因此需要在WHERE子句中使用该变量。更新代码:
WHERE user_id=“.$userid
您的意思是像WHERE user_id=“$userid.“因为我很确定我已经尝试过了,会再次尝试的。你不需要关闭双引号。你可以将最后一行替换为“WHERE user\u id=”.$userid;
仍然得到未定义的变量:userid即使使用$sql=“UPDATE users SET password\u hashcode=”$newpass\u hash',reset\u allocated\u time=NULL,reset\u token=NULL,其中user\u id=" . $用户标识;正如前面无数次提到的,您应该使用。它避免了这些类型的引用问题,避免了SQL注入攻击,就像你容易受到攻击一样。即使我把这两个SQL都放在这里,它仍然没有work@JohnLaimuin我做了编辑。在上一个查询中,使用$userid
而不是$user['user\u id']
我得到了echo消息,但仍然得到了未定义的错误变量:userid$result\u newpass->execute([':newpass'=>$newpass\u hash',:user\u id'=>$userid]);我的id字段是用户名_id@JohnLaimuin使用$userid=$\u GET['user\u id']在脚本顶部附近设置$userid
你在第一次查询中使用它,那么它怎么可能是未定义的呢?我的send msg link是这样的…也许就是这个问题$message.=“'>单击此处输入新密码”//user\u id=“.user['user\u id']”
$sql= "UPDATE users SET password_hashcode=:newpass,"
. "reset_allocated_time=NULL, reset_token=NULL "
. "WHERE user_id=:id"; //<- error here
$result_newpass = $heidisql->prepare($sql);
$result_newpass->execute([':newpass'=>$newpass_hash, ':id'=>$userid]);
$sql = "UPDATE users SET
password_hashcode = '$newpass_hash',
reset_allocated_time = NULL,
reset_token = NULL
WHERE user_id = '$user['user_id']'";