我在使用这个PHP代码时遇到了问题,这对我来说似乎合乎逻辑,但由于我是PHP和MySQL的新手,我显然是错的。 我正在尝试为作业设置更改密码页面,而我无法查看出错的地方,代码如下:
session_start();
if(isset($_SESSION['uname'])){
echo "Welcome " . $_SESSION['uname'];
}
require_once 'PHP/Constants.php';
$conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or die ('There was a problem connecting to the database');
$query = "SELECT * FROM user";
$result = mysqli_query($conn, $query);
while ($pwdReq = mysqli_fetch_array($result)){
if ($pwdReq['Password'] == $_POST['oldPwd']) {
if ($_POST['confPwd'] == $_POST['newPwd']){
$change = "INSERT INTO user(Password) VALUES ('newPwd')";
$pwdChange = mysqli_query($conn, $change);
} else return "The new passwords do not match!";
} else return "Please enter a correct password!";
}
我的页面正文如下:
<form method="post" action="">
<h2>Change Password</h2>
<p>
<label for="oldPwd">Old Password:</label>
<input type="password" name="oldPwd" />
</p>
<p>
<label for="newPwd">New Password:</label>
<input type="password" name="newPwd" />
</p>
<p>
<label for="confPwd">Confirm Password:</label>
<input type="password" name="confPwd" />
</p>
<p>
<input type="submit" id="submit" value="Submit" name="submit" />
</p>
</form>
当页面运行时,我得到的内容如下:
注意:未定义的索引:C:\ Program Files中的oldPwd 第11行的(x86)\ xampp \ htdocs \ Assignment \ change_password.php
提前感谢您提供的任何帮助 - 尼克
答案 0 :(得分:0)
更改您的查询以仅为此用户选择字段,使用WHERE而不是抓取所有用户。您可能需要将WHERE uname =替换为您的用户名列。还使用mysqli real escape string添加一些针对SQL注入的保护。其他人建议不要使用bcrypt或类似功能以纯文本格式存储密码。
<?php
session_start();
if(isset($_SESSION['uname'])){
echo "Welcome " . $_SESSION['uname'];
}
require_once 'PHP/Constants.php';
$conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or die ('There was a problem connecting to the database');
//Add following line to prevent injection.
$newPwd = $conn->real_escape_string($_POST['newPwd']);
$oldPwd = $conn->real_escape_string($_POST['oldPwd']);
////Change here:
$query = "SELECT * FROM user WHERE uname = $_SESSION['uname']";
$result = mysqli_query($conn, $query);
while ($pwdReq = mysqli_fetch_array($result)){
if ($pwdReq['Password'] == $oldPwd) {
if ($_POST['confPwd'] == $newPwd){
$change = "INSERT INTO user(Password) VALUES ('$newPwd')";
$pwdChange = mysqli_query($conn, $change);
} else return "The new passwords do not match!";
} else return "Please enter a correct password!";
}
?>
答案 1 :(得分:0)
uname SQL注入这是您脚本的改进版本:
<?php
session_start();
if(isset($_SESSION['uname'])){
echo "Welcome " . $_SESSION['uname'];
}
if(isset($_POST['oldPwd']) &&
isset($_POST['newPwd']) &&
isset($_POST['confPwd']){
//Values are set
require_once 'PHP/Constants.php';
$conn = new MySQLi(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME)
or die ('There was a problem connecting to the database');
//Select user from DB where username matches Session
$query = "SELECT * FROM user WHERE uname = ?";
//prepare query
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, "s", $_SESSION['uname']);
$result = mysqli_stmt_execute($stmt);
$row = mysqli_fetch_assoc($result);
//get the password from DB
$pwdReq = $row['Password'];
if ($pwdReq == $_POST['oldPwd']){
if($_POST['confPwd'] == $_POST['newPwd'])) {
$change = "INSERT INTO user(Password) VALUES (?)";
$stmt = mysqli_prepare($conn, $change);
mysqli_stmt_bind_param($stmt, "s", $_POST['newPwd']);
mysqli_stmt_execute($stmt);
echo "Password has been changed";
} else{
echo "The new password does not match confirmation";
}
}else{
echo "Old password not matching the database";
}
}else{
echo "oldPwd, confPwd, or confPwd is not set";
}
?>
如果oldPwd, confPwd, or confPwd is not set您需要了解原因。这不再是PHP错误了。您需要查看html并确保脚本正在接收这些值