我只是PHP的新手,我正在尝试创建一个忘记密码功能我有以下代码
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("inventory", $con);
$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];
$result = mysql_query("SELECT * from admins " );
while($row = mysql_fetch_array($result))
{
$password = $row['password'] ;
}
if($_POST['retypepassword'] != $b){
echo "<script type='text/javascript'>alert('Password Not match');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}
if($_POST['password'] != $password){
echo "<script type='text/javascript'>alert('You Provide wrong Password');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}
else {
mysql_query("UPDATE admins SET password = '$b'
WHERE password = '$a' ");
header("location: index.php?id=0");
};
?>
现在,问题是我只能更新插入数据库的最后一个帐号。比方说,例如我在我的数据库中有以下帐户,我想更改“greeg”,这没有任何问题。但如果我改变“gejel”(“数据库中的第一个值”) 它告诉我这个“你提供错误的密码”我不知道为什么我总是到这里来。我猜“哪里”有问题?请帮助帮助我:D
id |password |
1 | gejel |
2 | greeg |
答案 0 :(得分:0)
我认为问题出在您的while循环中。 mysql_query正在选择表中的所有条目,然后您遍历所有条目,因此将始终以表中的最后一个结束。您的查询需要看起来像:
$result = mysql_query("SELECT * from admins WHERE id = $id"); <-- added WHERE clause
您需要知道要更改密码的帐户,根据提供的当前密码,您不能这样做。如果2名管理员拥有相同的密码怎么办?
其次,这应该是不可能的,因为应该正在腌制和散列您的密码:http://php.net/manual/en/faq.passwords.php
第三,现在不推荐使用mysql_ *扩展,你应该立即停止使用它们。请改用MySQLi或PDO_MySQL。阅读大红框:http://php.net/manual/en/function.mysql-query.php
最后,我会建议一些关于SQL注入的研究,因为它看起来你的应用程序很可能是易受攻击的。从偏移量中获取这些东西比尝试稍后修补它们更好,并且使您更容易批次:http://en.wikipedia.org/wiki/SQL_injection
答案 1 :(得分:0)
将帐户ID放在两个查询中并正确转义变量以避免SQL injection。
与其他用户说的不推荐使用mysql_ *扩展名一样,我建议您改用PDO。
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("inventory", $con);
$id=$_POST['id'];
$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];
$result = mysql_query("SELECT * FROM admins WHERE id = '" .$id. "'");
while($row = mysql_fetch_array($result))
{
$password = $row['password'] ;
}
if($_POST['retypepassword'] != $b){
echo "<script type='text/javascript'>alert('Password Not match');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}
if($_POST['password'] != $password){
echo "<script type='text/javascript'>alert('You Provide wrong Password');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}
else {
mysql_query("UPDATE admins SET password = '" .$b. "'
WHERE id = '" .$id. "'");
header("location: index.php?id=0");
};
?>
就像今天我心情很好我会给你一个 PDO示例:
<强> constants.php
<?php
define("DB_SERVER", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "inventory");
?>
<强> connection.php
<?php
require("constants.php");
try {
$con = new PDO('mysql:host=' . DB_SERVER . ';dbname=' . DB_NAME, DB_USER, DB_PASS,
array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",PDO::ATTR_PERSISTENT => true));
$con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
}
catch(PDOException $e)
{
echo 'Could not connect: ';
echo $e->getMessage();
}
?>
<强> your_file.php
<?php
include("connection.php");
$id=$_POST['id'];
$password=$_POST['password'];
$newpassword=$_POST['newpassword'];
$retypepassword=$_POST['retypepassword'];
$sql = "SELECT * FROM admins WHERE id = :id";
$sth = $dbh->prepare($sql);
$sth->bindValue(':id', $id, PDO::PARAM_INT);
$sth->execute();
while($row = $sth->fetch(PDO::FETCH_ASSOC)) {
$db_password = $row['password'] ;
}
if($retypepassword != $newpassword){
echo "<script type='text/javascript'>alert('Password Not match');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}
if($password != $db_password){
echo "<script type='text/javascript'>alert('You Provide wrong Password');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}else {
$sql = "UPDATE admins SET password = :newpassword WHERE id = :id";
$sth = $dbh->prepare($sql);
$sth->bindValue(':newpassword', $newpassword, PDO::PARAM_STR);
$sth->bindValue(':id', $id, PDO::PARAM_INT);
$sth->execute();
if($sth){
header("location: index.php?id=0");
}
};
?>
您需要搜索的另一点是Secure hash and salt for PHP passwords