Question

这是我的完整代码......

Connect.php

$connect = @mysql_connect ($host, $username, $password, $db_name) or die ('error');
$select = @mysql_select_db($db_name, $connect) or die('check');

密码.php

//forgot password update

include('C:\wamp\www\header.html');

//check if form has been submitted
include('C:\wamp\www\connect.php');


    //connecting to db
    $errors = array();


if(isset($_POST['submitted'])) {



    if (empty($_POST['username']))

    {
        $errors[]='Please enter a username.';
    }

    else
    {
      $u = mysqli_real_escape_string($connect,trim($_POST['username']));
    }

    //check for current password
    if (empty($_POST['password']))

    {
        $errors[]='Current password does not match.';
    }

    else
    {
      $p = mysqli_real_escape_string($connect,trim($_POST['password']));
    }

    //check for a new password and match with confirm pass.

    if(!empty($_POST['password1']))
    {
        if($_POST['password1'] != $_POST['cpass'])
        {
            $errors[] = 'The entered password and confirm password do not match.';
        }
        else
        {
            $np = mysqli_real_escape_string($connect,trim($_POST['password1']));
        }
    }
    if(empty($errors)){
    //if everything is fine.

    //verify the entered email address and password.

    $q="SELECT username FROM users WHERE (username='$u' AND password=SHA1('$p'))";
    $r=@mysqli_query($connect,$q);
    $num = @mysqli_num_rows($r);
    if($num==1)
    //if it matches.

    //get user id
    {
    $row=mysqli_fetch_array($r, MYSQLI_NUM);

    //udpdate query.

    $q="UPDATE users SET password= SHA1('$np') WHERE username=$row[0]";

    $r=@mysqli_query($connect, $q);

    if (mysqli_affected_rows($connect) ==1)

    {
        echo '<h3>Your password has been updated.</h3>';
    }

    else {
        echo '<h3>Whops! Your password cannot be changed due a system error. Try again later. Sorry</h3>';

    echo '<p>' .mysqli_error($connect). 'Query:' . $q.'</p>';
    }


    exit();
    }
    else 
    {

        //invalid email and password

        echo 'The entered username and password do not match.';
    }

}
    else 
    {
        //report the errors.

    echo '<h1> Err... </h1>
    <p> The following error(s) have occured</p>';

    foreach ($errors as $msg)
        {
            echo "--$msg<br />\n";
        }
        echo '</p><p>Please Try Again.</p><p><br/></p>';

    }
    mysqli_close($connect);
}

    ?>

<html>
<head></head>
<body>
<div id="container">
<h1>Change your password</h1>
<form action="password.php" method="post">
Username:<br>
<input type="text" name="username" size="20" maxlength="80" />
<br>
Current Password<br/>
<input type="password" name="password" />
<br/>
New Password<br/>
<input type="password" name="password1" />
<br/>
Confirm New Password<br/>
<input type="password" name="cpass" />
<br/>
<input type="submit" name="submit" value="Change Password"/>
<input type="hidden" name="submitted" value="TRUE"/>
</form>
</div>

<?php
include('C:\wamp\www\footer.html');
?>

Answer 1

http://www.php.net/manual/en/mysqli.real-escape-string.php

<强> mysqli_real_escape_string

<强>参数

链路

仅限程序样式：mysqli_connect()或mysqli_init()
返回的链接标识符
escapestr

要转义的字符串。

编码的字符是NUL（ASCII 0），\ n，\ r，\，'，“和Control-Z。

第一个参数必须是链接标识符，而不是包含数据库名称的字符串。

Answer 2

第一个参数必须是链接标识符，http://www.php.net/manual/en/function.mysqli-connect.php或http://www.php.net/manual/en/mysqli.init.php返回的值

块引用

mysqli_real_escape_string（）期望参数1为mysqli

2 个答案: