我已将以下代码放在一起。但由于某种原因,它拒绝更新数据库,并且无论输入什么,它都会回显$ error“您当前的密码不正确”。
以下是主要的changepassword.php
<?php
include 'core/init.php'; //connection to database and checks user sessions
protect_page(); //useres not loged in cannot access this page
if (empty($_POST) === false) {
$required_fields = array('current_password', 'password', 'password_again');
foreach($_POST as $key=>$value) {
if (empty($value) && in_array($key, $required_fields) === true) {
$errors[] = 'All fields marked with an * are required.'; //check that all fields are completed
break 1;
}
}
if (md5($_POST['current_password']) === $user_data['password']) { //if equal to current password
if (trim($_POST['password']) !== trim($_POST['password_again'])) {
$errors[] = 'Your new passwords do not match';
} else if (strlen($_POST['password']) < 6) {
$errors[] = 'Your password must be at least 6 characters';
}
} else {
$errors[] = 'Your current password is incorrect'; //else append error
}
}
include 'includes/overall/header.php';
?>
<h1>Change Password</h1>
<p>Change your account password here.</p>
<?php
if (isset($_GET['success']) && empty($_GET['success'])) {
echo 'Your password has been changed';
} else {
if (empty($_POST) === false && empty($errors) === true) {
change_password($session_user_id, $_POST['password']);
header('Location: changepassword.php?success');
} else if (empty($errors) === false) {
echo output_errors($errors);
}
?>
<form action="" method="post">
<ul>
<li>
Current Password*:<br>
<input type="password" name"current_password">
</li>
<li>
New Password*:<br>
<input type="password" name"password">
</li>
<li>
New Password Again*:<br>
<input type="password" name"password_again">
</li>
<li>
<input type="submit" name="Change Password" />
</li>
</ul>
</form>
<?php
}
include 'includes/overall/footer.php'; ?>
这是changepassword函数
//change password function
function change_password($membersID, $password) {
$membersID = (int)$membersID;
$password = md5($password);
//update password in database
mysql_query("UPDATE`members` SET`password` = '$password' WHERE`membersID` = $membersID");
}
user_data在这里声明
//user data variable to pass in sessionID and thus pass in their other details
if (logged_in() === true) {
$session_user_id = $_SESSION['membersID']; //picking up the particular user
$user_data = user_data($session_user_id, 'membersID', 'username','password', 'forename', 'surename', 'email', 'age'); //picks up the fields declared here - MAKE SURE TO PASS ALL paramameters you need to output.
if (user_active($user_data['username']) === false) {
session_destroy();
header('Location: index.php');
exit();
}
}
答案 0 :(得分:1)
抱歉,我的第一个回答不正确,但有关MD5的警告仍然存在:
请记住,您的密码架构非常不安全,您应该改进一些重点。
PDO或mysqli。请记住,通常您必须在SQL语句中转义字符串值(预准备语句或mysqli_real_escape_string())。您的示例将是安全的,因为MD5的输出始终是安全的。答案 1 :(得分:0)
查询缺少报价。
function change_password($membersID, $password) {
$membersID = (int)$membersID;
$password = mysql_real_escape_string(md5($password));
//update password in database
mysql_query("UPDATE members SET password = '$password' WHERE membersID = '$membersID';");
if (mysql_affected_rows > 0) {
return true;
} else {
return false;
}
}
if (empty($_POST) === false && empty($errors) === true) {
if(change_password($session_user_id, $_POST['password'])) {
// Redirect if change_password returns true
header('Location: changepassword.php?success');
} else {
// Give some error message
}
} else if (empty($errors) === false) {
echo output_errors($errors);
}
尝试这些更改,如果change_password函数返回false,我不知道您希望以何种方式处理错误。