Question

这是我的剧本

当我提交数据时，它没有在数据库中更新我想再做一次更改，密码必须在md5转换后发送到数据库。这是我的代码，我已粘贴下面的所有页面代码

<?php
//*
// teacher_change_password.php
// Teachers Section
// Form to change password
//*

//Check if teacher is logged in
session_start();
if(!isset($_SESSION['UserID']) || $_SESSION['UserType'] != "T")
  {
    header ("Location: index.php?action=notauth");
    exit;
}

//Inizialize databse functions
include_once "ez_sql.php";
//Include global functions
include_once "common.php";

// Include configuration
include_once "configuration.php";

$tfname=$_SESSION['tfname'];
$tlname=$_SESSION['tlname'];
$user_id=$_SESSION['UserId'];
$action=get_param("action");

if($action=="update"){
    $tpass=tosql(get_param("password"), "Text");
    $tpass=md5($tpass);
    $sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'";
    $db->query($sSQL);
}else{
    $sSQL="SELECT web_users_password FROM web_users WHERE web_users_id='". $user_id ."'";
    $tpass=$db->get_var($sSQL);

};

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title><?php echo _ADMIN_MAIN_MENU_TITLE?></title>
<style type="text/css" media="all">@import "student-teacher.css";</style>
<link rel="icon" href="favicon.ico" type="image/x-icon"><link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
<SCRIPT language="JavaScript">
/* Javascript function to submit form and check if field is empty */
function submitform(fldName)
{
  var f = document.forms[0];
  var t = f.elements[fldName]; 
  if (t.value!="") 
    f.submit();
  else
    alert("You have to enter a value !");
}
</script>
<script type="text/javascript" language="JavaScript" src="sms.js"></script>
</head>

<body>
<?php include "teacher_header.php"; ?>
<div id="Header">
<table width="100%">
  <tr>
    <td width="50%" align="left"><font size="2">&nbsp;&nbsp;<?php echo date(_DATE_FORMAT); ?></font></td>
    <td width="50%"><?php echo _WELCOME?>, <?php echo $tfname. " " .$tlname; ?></td>
  </tr>
</table>
</div>
<div id="Content">
    <?php
    if($action=="update"){
    ?>
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_SUCCESSFUL?></h1>
    <?php
    }else{
    ?>
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_TITLE?></h1>
    <br>
    <form name="changepass" method="POST" action="teacher_change_password.php">
    <input type="text" size="20" name="password" value="<?php echo $tpass; ?>" onchange="this.value=this.value.toLowerCase();">
    <br>
    <input type="hidden" name="action" value="update">
    <a class="aform" href="javascript: submitform('password')"><?php echo _TEACHER_CHANGE_PASSWORD_UPDATE?></a>                 
    </form>
    <?php
    };
    ?>
</div>
<?php include "teacher_menu.inc.php"; ?>
</body>

</html>

Answer 1

首先，似乎没有设置$ db，我也很确定这一行：

$sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'";

在$ user_id

上，

容易受到sql注入攻击

Answer 2

我强烈建议您阅读Safe Password Hashing

不要使用MD5，它不再安全，PHP提供了更好的方法。

更改密码不起作用

2 个答案: