更改密码页面

时间:2014-05-04 15:41:27

标签: php mysql

我在使用这个PHP代码时遇到了问题,这对我来说似乎合乎逻辑,但由于我是PHP和MySQL的新手,我显然是错的。 我正在尝试为作业设置更改密码页面,而我无法查看出错的地方,代码如下:

session_start();
if(isset($_SESSION['uname'])){
    echo "Welcome " . $_SESSION['uname'];
}
require_once 'PHP/Constants.php';
$conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or die ('There was a problem connecting to the database');
$query = "SELECT * FROM user";
$result = mysqli_query($conn, $query);
while ($pwdReq = mysqli_fetch_array($result)){
    if ($pwdReq['Password'] == $_POST['oldPwd']) {
        if ($_POST['confPwd'] == $_POST['newPwd']){
            $change = "INSERT INTO user(Password) VALUES ('newPwd')";
            $pwdChange = mysqli_query($conn, $change);
        } else return "The new passwords do not match!";
    } else return "Please enter a correct password!";
} 

我的页面正文如下:

<form method="post" action="">
    <h2>Change Password</h2>
    <p>
        <label for="oldPwd">Old Password:</label>
        <input type="password" name="oldPwd" />
    </p>
    <p>
        <label for="newPwd">New Password:</label>
        <input type="password" name="newPwd" />
    </p>
    <p>
        <label for="confPwd">Confirm Password:</label>
        <input type="password" name="confPwd" />
    </p>
    <p>
        <input type="submit" id="submit" value="Submit" name="submit" />
    </p>
</form>

当页面运行时,我得到的内容如下:

  

注意:未定义的索引:C:\ Program Files中的oldPwd   第11行的(x86)\ xampp \ htdocs \ Assignment \ change_password.php

提前感谢您提供的任何帮助 - 尼克

2 个答案:

答案 0 :(得分:0)

更改您的查询以仅为此用户选择字段,使用WHERE而不是抓取所有用户。您可能需要将WHERE uname =替换为您的用户名列。还使用mysqli real escape string添加一些针对SQL注入的保护。其他人建议不要使用bcrypt或类似功能以纯文本格式存储密码。

<?php
    session_start();
    if(isset($_SESSION['uname'])){
    echo "Welcome " . $_SESSION['uname'];
    }
    require_once 'PHP/Constants.php';
    $conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or die ('There was a problem connecting to the database');
    //Add following line to prevent injection.
    $newPwd = $conn->real_escape_string($_POST['newPwd']);
    $oldPwd = $conn->real_escape_string($_POST['oldPwd']);
    ////Change here: 
    $query = "SELECT * FROM user WHERE uname = $_SESSION['uname']";
    $result = mysqli_query($conn, $query);
    while ($pwdReq = mysqli_fetch_array($result)){
    if ($pwdReq['Password'] ==  $oldPwd) {
        if ($_POST['confPwd'] == $newPwd){
            $change = "INSERT INTO user(Password) VALUES ('$newPwd')";
            $pwdChange = mysqli_query($conn, $change);
        } else return "The new passwords do not match!";
    } else return "Please enter a correct password!";
    } 
    ?>

答案 1 :(得分:0)

  • 在执行任何操作之前,请务必检查您的POST值
  • 您应该选择与uname
  • 匹配的单个记录
  • 准备您的查询以避免SQL注入

这是您脚本的改进版本:

 <?php
session_start();
if(isset($_SESSION['uname'])){
    echo "Welcome " . $_SESSION['uname'];
}
if(isset($_POST['oldPwd']) && 
   isset($_POST['newPwd']) && 
   isset($_POST['confPwd']){
   //Values are set
    require_once 'PHP/Constants.php';
    $conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) 
            or die ('There was a problem connecting to the database');
    //Select user from DB where username matches Session
    $query = "SELECT * FROM user WHERE uname = ?";
    //prepare query
    $stmt = mysqli_prepare($conn, $query);
    mysqli_stmt_bind_param($stmt, "s", $_SESSION['uname']);
    $result = mysqli_stmt_execute($stmt);
    $row = mysqli_fetch_assoc($result);
    //get the password from DB
    $pwdReq = $row['Password'];

    if ($pwdReq == $_POST['oldPwd']){   
        if($_POST['confPwd'] == $_POST['newPwd'])) {
            $change = "INSERT INTO user(Password) VALUES (?)";
            $stmt = mysqli_prepare($conn, $change);
            mysqli_stmt_bind_param($stmt, "s", $_POST['newPwd']);
            mysqli_stmt_execute($stmt);
            echo "Password has been changed";
        } else{
         echo "The new password does not match confirmation";
        }
    }else{
        echo "Old password not matching the database";
    }
}else{
    echo "oldPwd, confPwd, or confPwd is not set";
}
?>

如果oldPwd, confPwd, or confPwd is not set您需要了解原因。这不再是PHP错误了。您需要查看html并确保脚本正在接收这些值