Fatal编程技术网
  • php/
  • Php 更改密码不需要';行不通

Php 更改密码不需要';行不通

php mysql

Php 更改密码不需要';行不通,php,mysql,change-password,Php,Mysql,Change Password,这是我的剧本 当我提交数据时,它不会在数据库中更新 我想再做一次更改,密码必须在md5转换时发送到数据库。 这是我的代码,我已将所有页面代码粘贴到下面 <?php //* // teacher_change_password.php // Teachers Section // Form to change password //* //Check if teacher is logged in session_start(); if(!isset($_SESSION['UserID']

这是我的剧本

当我提交数据时,它不会在数据库中更新 我想再做一次更改,密码必须在md5转换时发送到数据库。 这是我的代码,我已将所有页面代码粘贴到下面

<?php
//*
// teacher_change_password.php
// Teachers Section
// Form to change password
//*

//Check if teacher is logged in
session_start();
if(!isset($_SESSION['UserID']) || $_SESSION['UserType'] != "T")
  {
    header ("Location: index.php?action=notauth");
    exit;
}

//Inizialize databse functions
include_once "ez_sql.php";
//Include global functions
include_once "common.php";

// Include configuration
include_once "configuration.php";

$tfname=$_SESSION['tfname'];
$tlname=$_SESSION['tlname'];
$user_id=$_SESSION['UserId'];
$action=get_param("action");

if($action=="update"){
    $tpass=tosql(get_param("password"), "Text");
    $tpass=md5($tpass);
    $sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'";
    $db->query($sSQL);
}else{
    $sSQL="SELECT web_users_password FROM web_users WHERE web_users_id='". $user_id ."'";
    $tpass=$db->get_var($sSQL);

};

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title><?php echo _ADMIN_MAIN_MENU_TITLE?></title>
<style type="text/css" media="all">@import "student-teacher.css";</style>
<link rel="icon" href="favicon.ico" type="image/x-icon"><link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
<SCRIPT language="JavaScript">
/* Javascript function to submit form and check if field is empty */
function submitform(fldName)
{
  var f = document.forms[0];
  var t = f.elements[fldName]; 
  if (t.value!="") 
    f.submit();
  else
    alert("You have to enter a value !");
}
</script>
<script type="text/javascript" language="JavaScript" src="sms.js"></script>
</head>

<body>
<?php include "teacher_header.php"; ?>
<div id="Header">
<table width="100%">
  <tr>
    <td width="50%" align="left"><font size="2">&nbsp;&nbsp;<?php echo date(_DATE_FORMAT); ?></font></td>
    <td width="50%"><?php echo _WELCOME?>, <?php echo $tfname. " " .$tlname; ?></td>
  </tr>
</table>
</div>
<div id="Content">
    <?php
    if($action=="update"){
    ?>
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_SUCCESSFUL?></h1>
    <?php
    }else{
    ?>
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_TITLE?></h1>
    <br>
    <form name="changepass" method="POST" action="teacher_change_password.php">
    <input type="text" size="20" name="password" value="<?php echo $tpass; ?>" onchange="this.value=this.value.toLowerCase();">
    <br>
    <input type="hidden" name="action" value="update">
    <a class="aform" href="javascript: submitform('password')"><?php echo _TEACHER_CHANGE_PASSWORD_UPDATE?></a>                 
    </form>
    <?php
    };
    ?>
</div>
<?php include "teacher_menu.inc.php"; ?>
</body>

</html>

首先,似乎$db没有设置,而且我很确定
该行:


$sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'";



易受sql注入攻击,在$user_id上,我强烈建议阅读


不要使用MD5,它不再安全了,PHP提供了更好的方法来实现它。
您可能应该根据
MD5
的结果调用
tosql
,而不是参数。数据库详细信息是从配置中调用的。PHP是否可以提供关于$sSQL=“UPDATE web\u users SET web\u users\u password=”行的更好的安全代码$tpass.“'whereweb\u users\u id='”$用户id。“”;