由于某种原因,此代码不会使用数据库检查当前密码,但它会正确更改密码。它还能够连接到我的数据库。它还可以检查新密码是否与确认新密码相同。这是运行的php,这可能是错的:
<?php if(!defined('INCLUDE_CHECK')) header("Location: index.php"); ?>
<?php
/* irrelevant parts omitted */
if($_POST['submit']=='Change Password')
{
// Checking whether the Change Password form has been submitted
$err = array();
// Will hold our errors
if(!$_POST['password'] || !$_POST['newpassword'] || !$_POST['confirmpassword'])
$err[] = 'All the fields must be filled in!';
if(!count($err))
{
if($_POST['password'] != /* something should be here but i don't know what */)
$err[] = 'Current password is incorrect!';
if($_POST['newpassword'] != $_POST['confirmpassword'])
$err[] = 'New passwords do not match!';
if(!count($err))
{
$pass = $_POST['confirmpassword'];
mysql_query(
"UPDATE members
SET pass='".md5($pass)."'
WHERE id='{$_SESSION['id']}'"
);
$_SESSION['msg']['change-password-success']='Success your password has been changed!';
}
}
if($err)
$_SESSION['msg']['change-password-err'] = implode('<br />',$err);
// Save the error messages in the session
header("Location: change-password.php");
exit;
}
?>
答案 0 :(得分:2)
由于某些原因,此代码不会使用数据库检查当前密码,但它会正确更改密码。
......这实际上是你的代码吗?或者你的问题措辞不佳?
if($_POST['password'] != /* something should be here but i don't know what */)
因为没有检查密码的原因......
此外:
它还可以连接到我的数据库并检查新密码是否与确认新密码相同。
不,不是 - 它只是针对用户键入的其他字段检查密码 - 它没有检查数据库中的任何内容:
if($_POST['newpassword'] != $_POST['confirmpassword'])
$err[] = 'New passwords do not match!';
答案 1 :(得分:1)
据我所见,您的脚本中没有任何地方可以调用数据库来检查现有记录......
$query = mysql_query("SELECT * FROM members WHERE id='{$_SESSION['id']}'");
$data = mysql_fetch_assoc($query);
if($data['pass'] == md5($_POST['confirmpassword'])){
echo "Old and new password matches";
}