php更改密码脚本问题
我在网站的“我的成员”部分有一个页面,允许用户更改密码。如果所有详细信息输入正确,则所有功能都正常 表单要求输入用户名、当前密码、新密码、确认新密码 如果用户输入了错误的用户名,表单不会更改他们的密码(如预期的那样),而是将他们引导到确认页面,而不是错误页面 此外,如果用户输入了错误的密码,表单会更改他们的密码并将他们引导到确认页面,而不是不更改密码并将他们引导到错误页面 我的代码贴在下面,如果有人能帮忙,我将不胜感激! 谢谢 梅尔 更改密码表单的php:php更改密码脚本问题,php,mysql,Php,Mysql,我在网站的“我的成员”部分有一个页面,允许用户更改密码。如果所有详细信息输入正确,则所有功能都正常 表单要求输入用户名、当前密码、新密码、确认新密码 如果用户输入了错误的用户名,表单不会更改他们的密码(如预期的那样),而是将他们引导到确认页面,而不是错误页面 此外,如果用户输入了错误的密码,表单会更改他们的密码并将他们引导到确认页面,而不是不更改密码并将他们引导到错误页面 我的代码贴在下面,如果有人能帮忙,我将不胜感激! 谢谢 梅尔 更改密码表单的php: <?php session
<?php
session_start();
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="database"; // Database name
$tbl_name="table"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$username = $_POST['username'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");
if(!$result)
{
header("location:error1.php");
}
if ($row = mysql_fetch_assoc($result))
{
header("location:error.php");
}
if($newpassword==$repeatnewpassword)
$sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");
if($sql)
{
header("location:success.php");
}
else
{
header("location:error3.php");
}
?>
您的sql应该是这样的:
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");
这个
还有这个
if ($row = mysql_fetch_assoc($result))
{
header("location:error.php");
}
意味着如果用户输入了正确的用户名,它将重定向到错误页面
改为
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");
你的问题就在这里-
if(!$result)
当用户输入错误的用户名时,查询将在数据库中搜索该用户,但找不到。因此,结果将包含空数据集,但查询仍然有效,因为您可以查询数据库并返回空数据集。所以你的$结果
检查将始终计算为true,除非出现DB错误
您不应只检查$result,而应执行以下操作-
if($newpassword==$repeatnewpassword)
{
// User's provided new password and repeatpassword matches, so keep going forward,
// query the database.
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");
if($result)
{
// Database query successful. Now check if that username exists in the database.
if(mysql_num_rows($result) <= 0)
{
// user has provided wrong username, take action accordingly
}
else
{
// Username found, now check for old password match
$row = mysql_fetch_array($result);
if($password==$row['password'])
{
// User's old password matches with DB. So, update password and
// forward him to confirmation page
}
else
{
// User's old password doesn't match with db. Show appropriate message
}
}
}
else
{
// Some DB error occurred. Handle it appropriately.
}
}
else
{
// User's new and repeat password don't match, so take action accordingly
}
要了解更多信息,请访问此处:
另外,在数据库中以纯文本格式存储密码也是一个坏主意。即使你不能看到你的网站用户提供的密码。使用函数设置密码,然后将其存储在数据库中。我已将您的代码编辑为更简单的方式
你应该试试这个::
<?php
session_start();
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="database"; // Database name
$tbl_name="table"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$username = $_POST['username'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '$password'");
if(!$result)
{
header("location:error1.php");
}
if(mysql_num_rows($result)){
if($newpassword==$repeatnewpassword){
$sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");
if($sql)
{
header("location:success.php");
}
else
{
// In case when problem while updating your new password
header("location:error3.php");
}
} else {
// In case when new-password and retype-password do not match
header("location:error_password_not_matched.php");
}
} else {
// In case of you have not correct User name and password
header("location:error.php");
}
?>
SQL可以注入到查询中。即使您是新手,也要确保您阅读了PHP代码的安全提示,特别是SQL注入。很抱歉,对于PHP,我绝对是新手。甚至用您的更改更新我的php文件都很困难!:-/@新手:继续尝试,你会很容易弄明白的:-)。我知道我很痛苦,但你有没有机会告诉我完整的代码应该是什么样子?@新手:可能你没有正确地使用if。如果您已经复制并粘贴了上述代码,那么您不应该这样做。我上面的回答只是想告诉你如何解决你的问题,你必须把它翻译成你自己用的。耶,它成功了!万分感谢!现在,为了弄清楚加密密码,我打算这么说。目前,无论是在SQL中还是在PHP中,都没有验证旧密码是否正确。如果旧密码是错误的,那么用户很有可能不是他假装的那个人。
if($newpassword==$repeatnewpassword)
{
// User's provided new password and repeatpassword matches, so keep going forward,
// query the database.
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");
if($result)
{
// Database query successful. Now check if that username exists in the database.
if(mysql_num_rows($result) <= 0)
{
// user has provided wrong username, take action accordingly
}
else
{
// Username found, now check for old password match
$row = mysql_fetch_array($result);
if($password==$row['password'])
{
// User's old password matches with DB. So, update password and
// forward him to confirmation page
}
else
{
// User's old password doesn't match with db. Show appropriate message
}
}
}
else
{
// Some DB error occurred. Handle it appropriately.
}
}
else
{
// User's new and repeat password don't match, so take action accordingly
}
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$newpassword = mysql_real_escape_string($_POST['newpassword']);
$repeatnewpassword = mysql_real_escape_string($_POST['repeatnewpassword']);
<?php
session_start();
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="database"; // Database name
$tbl_name="table"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$username = $_POST['username'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '$password'");
if(!$result)
{
header("location:error1.php");
}
if(mysql_num_rows($result)){
if($newpassword==$repeatnewpassword){
$sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");
if($sql)
{
header("location:success.php");
}
else
{
// In case when problem while updating your new password
header("location:error3.php");
}
} else {
// In case when new-password and retype-password do not match
header("location:error_password_not_matched.php");
}
} else {
// In case of you have not correct User name and password
header("location:error.php");
}
?>