此代码不会更改已登录用户的密码,而是更改为0,然后不允许我重新登录。我知道md5不是最安全的,因为这不会是一个专门用于项目的活动站点。但是,我愿意接受有关替代方案的建议。我在db中有两个字段,名为password和password2,一旦更改密码就需要更改。此外,错误消息不会显示。
<?php
session_start();
if (!isset($_SESSION["user_login"])) {
header("Location: sign_up.php");
} else {
$username = $_SESSION["user_login"];
}
include ("connect.php");
?>
<?php
//Variables
if(isset($_POST['change_pass_submit'])){
$oldpassword = $_POST['oldpassword'];
$newpassword1 = $_POST['newpassword1'];
$newpassword2 = $_POST['newpassword2'];
$pass_query = mysqli_query ($connect, "SELECT * FROM users WHERE email='$username'");
while ($row = mysqli_fetch_assoc($pass_query)) {
$existing_pass = $row ['password'];
//Checking if md5 encrypted password matches
$md5_oldpassword = md5($oldpassword);
//check if the old password and the old password entered now match
if ($md5_oldpassword == $existing_pass){
//check if the two new passwords match
if ($newpassword1 == $newpassword2) {
$md5_newpassword = md5($newpassword1);
$md5_newpassword2 = md5($newpassword2);
//Query to update the password
$password_update_query = mysqli_query($connect, "UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'");
echo "Your password has now changed!";
}
else{
echo "Your new password and re entered password does not match. Please try again.";
}
}
else {
echo "Your old password does not match. Please try again.";
}
}
}
?>
<div class="container">
<h3> Change your Password: </h3>
<form action="" method="POST" enctype="multipart/form-data">
<div class="form-group">
<label for="oldpassword">Old Password:</label>
<input type="oldpassword" class="form-control" name="oldpassword" placeholder="Enter old password" >
</div>
<div class="form-group">
<label for="newpassword1">New Password:</label>
<input type="newpassword1" class="form-control" name="newpassword1" placeholder="Enter new password" >
</div>
<div class="form-group">
<label for="newpassword2">New Password:</label>
<input type="newpassword2" class="form-control" name="newpassword2" placeholder="Re-Enter new password" >
</div>
<center>
<button type="submit" class="btn btn-primary" name="change_pass_submit" style=" background-color:#337AB7; color:white;">Change Password</button>
</center>
</form>
</div>
答案 0 :(得分:2)
您的查询中有错误:
"UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'"
应该是:
"UPDATE users SET password='$md5_newpassword', password2='$md5_newpassword2' WHERE email='$username'"
但是,您的查询中的错误是 NOT 这里的重大问题。 BIG的问题是您的代码是 EXTREMELY INSECURE :
password_hash和password_verify而非md5(md5散列算法已旧。已经确定了它的几个问题。对于密码散列,问题在于它被设计为快速。快速意味着它是easy to crack。快速意味着专用硬件可以做{{3} })。