无法将我的密码更新为db

时间:2016-10-21 02:37:47

标签: php pdo password-hash

从db获取密码后检查密码是否匹配,但仍然无法使用新密码更新我的数据库。

如果有人可以帮我解决这个问题,我将不胜感激。感谢。

这里是html代码:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Settings</title>
    <link rel="stylesheet" type="text/css" href="../css/loginstyle.css" />
    <link href="https://fonts.googleapis.com/css?family=Comfortaa" rel="stylesheet">
</head>
<body>

<?php if(!empty($message)): ?>
    <p><?=$message ?></p>
<?php endif; ?>

<h2 class="page-header">Settings</h2>
<p>Please edit the information</p>

<form action="settings.php" method="post">

    <input type="text" placeholder="Enter your email" name="email">
    <input type="password" placeholder="Enter your current password" name="old_password">
    <input type="password" placeholder="Enter your new password" name="new_password">
    <input type="password" placeholder="Confirm password" name="confirm_password">

    <input type="submit" name="submit" value="reset">
</form>

</body>
</html>

这里是php代码:

<?php

//start the session
session_start();

require 'database.php';

//$message='';

if (isset($_POST['submit'])){

    //check field
    $oldpassword = $_POST['old_password'];
    $newpassword = $_POST['new_password'];
    $confirmpassword = $_POST['confirm_password'];

    $message = '';

    //query to get password
    $query = $conn->prepare('SELECT password FROM users WHERE email = :email') or die("Query did'nt work");
    $query->bindParam(':email', $_POST['email']);
    $query->execute();
    $results = $query->fetch(PDO::FETCH_ASSOC);

    $oldpassworddb = $results['password'];

    //Check password
    if(count($results) > 0 && password_verify($oldpassword, $results['password']))
    {

        //check two new password
        if($newpassword==$confirmpassword)
        {
            //change password in database
            //echo "Success";  

            //enter new user and database
            $sql = ('UPDATE users SET password="$newpassword" WHERE email = :email');
            $query = $conn->prepare($sql);

            $query->bindParam(':email', $_POST['email']);
            $query->bindParam(':password',$newpassword);
            $newpassword = password_hash($newpassword, PASSWORD_BCRYPT);

            //$querychange->execute();

            session_destroy();
            die("Your password has been changed. <a href='index.php'>Return</a>to the main page.");


        }
        else{
            die("New password don't match");
        }
    }
    else
    {
        die("old password doesn't match");
    }
}
else
{

}

?>

2 个答案:

答案 0 :(得分:2)

您从未执行过预准备的语句,因此从未运行过查询。您还没有在语句中设置:password参数。 

        // Setup :password as a parameter, don't place variable in your statements
        $sql = ('UPDATE users SET password=:password WHERE email = :email');
        $query = $conn->prepare($sql);

        $query->bindParam(':email', $_POST['email']);
        $query->bindParam(':password',$newpassword);
        $newpassword = password_hash($newpassword, PASSWORD_BCRYPT);

        // Execute statement
        $query->execute();

另一件事突然出现在我身上的是密码哈希的顺序。即使您将$newpassword绑定为引用,在参数绑定之后进行散列也不是非常易读。记住可读性。

答案 1 :(得分:2)

PASSWORDkeyword,这就是您不应将其用作column name的原因。如果您坚持使用它,请在使用时使用backtick

$sql = ('UPDATE users SET `password` = :password WHERE email = :email');

然后execute

$query->execute();
相关问题
最新问题