尽管我已经尝试过但我无法理解为什么这段代码不起作用。每当我尝试使用此页面更改密码时,它都会提供错误的密码。
这是我必须为本网站工作的最后一页,所以任何帮助都将不胜感激。
<?php
require_once ("dbconnect.php");
// include file to do db connect
require_once ('checklog.php');
require_once ("functions.php");
session_start();
$username = ($_POST['username']);
$password = ($_POST['password']);
$newpassword = ($_POST['newpassword']);
$repeatpassword = ($_POST['repeatpassword']);
if (isset($_POST['submit'])) {
if ($username && $password) {
$hashpass = salt($password);
$query = "SELECT ID FROM users WHERE username='$username' AND password='$hashpass'";
if ($username == $datausername && salt($password) == $datapassword) {
// PASSWORD CHANGING IS DONE HERE
if ($newpassword == $repeatpassword) {
// From register
if (strlen($newpassword) > 25 || strlen($newpassword) < 6) {
$message = "Password must be 6-25 characters long";
}
else {
// part 8
// Process details here
if ($db_server) {
die("Unable to connect to MySQL: " . mysqli_connect_error());
$db_status = "not connected";
}
else {
if ($db_server) {
// clean the input now that we have a db connection
$newpassword = clean_string($db_server, $newpassword);
$repeatpassword = clean_string($db_server, $repeatpassword);
mysqli_select_db($db_server, $db_database);
$result = mysqli_query($db_server, $query);
if ($row = mysqli_fetch_array($result)) {
$message = "This is your current password. Please try again.";
}
else {
// Process further here
$newpassword = salt($newpassword);
$query = "UPDATE INTO users (password) VALUES ('$password')";
mysqli_query($db_server, $query) or die("Insert failed. " . mysqli_error($db_server));
$message = "<h1>Your password has been changed!</h1>";
}
mysqli_free_result($result);
}
else {
$message = "Error: could not connect to the database.";
}
mysqli_close($db_server);
// include file to do db close
}
}
// This code appears if passwords dont match
}
else {
$message = "<h1>Your new passwords do not match! Try again.</h1>";
}
}
else {
$message = "<h1>Incorrect password!</h1>";
}
}
else {
$message = "<h1>That user does not exist!</h1>" . "Please <a href='password.php'>try again</a>";
}
// Close connection!
}
else {
$message = "<h1>Please enter a valid username/password</h1>";
}
?>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<?php
include_once ("header.php");
?>
<div id="apDiv1"><span class="rich-list">
<title>Change your Password</title>
<h1>So you want to change your password, <?php
echo $_SESSION['username'];
?>?</h1>
<form action='password.php' method='POST'>
<div align="right">Current Username:
<input type='text' name='username'><br />
Current Password: <input type='password' name='password'><br />
New Password: <input type='password' name='newpassword'><br />
Repeat New Password: <input type='password' name='repeatpassword'><br />
<input type='submit' name='submit' value='Confirm'>
<input name='reset' type='reset' value='Reset'>
</div>
</form>
<?php
echo $message
?>
<?php
include_once ("footer.php");
?>
</div>
</body>
</html>
</body>
</html>
答案 0 :(得分:0)
暂时忽略代码中的许多不良做法,问题是您永远不会从数据库中检索用户的密码:
// $datausername and $datapassword have not been set, so this will always be false
if ($username == $datausername && salt($password) == $datapassword) {
// ... code
} else {
$message = "<h1>Incorrect password!</h1>";
}
您确实设置了$ query字符串,但是您忘记在数据库中运行实际查询并检索结果(如果有)。
要运行查询,首先要建立数据库连接:
$dbc = new mysqli("db_host", "db_user", "db_password", "db_name");
if (mysqli_connect_errno()) {
die("Could not connect to MySQL: " . mysqli_connect_error());
}
假设您在“dbconnect.php”文件中执行了此操作,因此现在您拥有有效的$ dbc连接和$ query字符串。以下内容将为您提供mysqli_result对象,如果查询失败,则为FALSE。
$result = $dbc->query($query);
有关如何使用该对象的更多信息,请参阅PHP手册。
另外,PHP有一个很好的内置函数叫password_hash - 我建议你使用它而不是看起来像自定义函数'salt'。
为了进一步改进您的代码,您应该了解SQL Injection以及如何避免它,例如使用prepared statements。
答案 1 :(得分:0)
我不知道&#39;盐&#39;函数已定义 - 您可能希望将其包含在帖子中。
我怀疑盐会选择一些随机盐,然后哈希 - 如果是这样,要验证,你需要使用加密密码中的盐,否则你会得到不同的结果。
所以,要验证密码: