格式化代码:
<?php
require_once 'connectvars.php';
if (isset($_POST['submit'])) {
//set vars
$oldpw = mysqli_real_escape_string($dbc, trim($_POST['oldpw']));
$newpw = mysqli_real_escape_string($dbc, trim($_POST['newpw']));
$retype = mysqli_real_escape_string($dbc, trim($_POST['retype']));
$query = mysqli_query($dbc, 'SELECT password from user_info WHERE password = "hash(\'SHA256\',$oldpw)" and user_id = "$SESSION[\'user_id\']"'); // this line is "not working well"
if (strlen($newpw) < 7) {
if (strlen($newpw) > 32 ) {
if (mysqli_num_row($query) == 1) {
if ($newpw == $retype) {
mysqli_query($dbc, "UPDATE user_info SET password = 'hash('SHA256',$newpw)'");
$msg = "You successfully changed your password";
}
else {
$msg = "Your old password doesn't match.";
}
}
else {
$msg = "You must enter your old password correct.";
}
}
else {
$msg = "Your password must contain 32 characters or less.";
}
}
else {
$msg = "Your new password must contain at least 7 characters.";
}
?>
答案 0 :(得分:0)
我想你想改进你的sql语法。
'SELECT password
from user_info
WHERE password = "hash(\'SHA256\',$oldpw)"
and user_id = "$SESSION[\'user_id\']"'
可能会更正为
"SELECT password
from user_info
WHERE password = '" . hash('SHA256',$oldpw) ."'
and user_id = '" . $_SESSION['user_id'] . "'"
正确地逃脱弦乐。尝试以相同的方式更正更新语句。