我正在尝试在小型登录应用程序上使用php更改密码。当我提交表单时,它会正确进入“登录”页面,没有任何问题,但密码不会更改。我没有在代码中看到任何错误。不确定这是一个查询错误还是我做的变量绑定错误。有什么想法吗?
<?php
// Initialize variables
$password = $confirm_password = "";
$password_err = $confirm_password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate password
if(empty(trim($_POST['password']))){
$password_err = "Please enter a password.";
} elseif(strlen(trim($_POST['password'])) < 6){
$password_err = "Password must have at least 6 characters.";
} elseif(!preg_match("#[0-9]+#", trim($_POST['password']))){
$password_err = "Password must have at least 1 number.";
} elseif(!preg_match("#[a-z]+#", trim($_POST['password']))){
$password_err = "Password must have at least 1 lowercase character.";
} elseif(!preg_match("#[A-Z]+#", trim($_POST['password']))){
$password_err = "Password must have at least 1 uppercase character.";
} else{
$password = trim($_POST['password']);
}
// Validate password_confirm
if(empty(trim($_POST["confirm_password"]))){
$confirm_password_err = 'Please confirm password.';
} else{
$confirm_password = trim($_POST['confirm_password']);
if($password != $confirm_password){
$confirm_password_err = 'Password did not match.';
}
}
if(empty($password_err) && empty($confirm_password_err)) {
// Prepare an update statement
$sql = "UPDATE users SET password = ? WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ss", $param_password, $param_username);
// Set parameters
$param_password = password_hash($password, PASSWORD_DEFAULT); // Creates a password hash
$param_username = $username;
if(mysqli_stmt_execute($stmt)){
} else {
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
// Close connection
mysqli_close($link);
// Redirect to logout
header("location: logout.php");
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Change Password</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<style type="text/css">
body{ font: 14px sans-serif; }
.wrapper{ width: 350px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Change Password</h2>
<p>Please fill this form to change password.</p>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post" autocomplete="off">
<div class="form-group <?php echo (!empty($password_err)) ? 'has-error' : ''; ?>">
<label>New Password:<sup>*</sup></label>
<input type="password" name="password" class="form-control" value="<?php echo $password; ?>">
<span class="help-block"><?php echo $password_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($confirm_password_err)) ? 'has-error' : ''; ?>">
<label>Confirm Password:<sup>*</sup></label>
<input type="password" name="confirm_password" class="form-control" value="<?php echo $confirm_password; ?>">
<span class="help-block"><?php echo $confirm_password_err; ?></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Submit">
<input type="reset" class="btn btn-default" value="Reset">
</div>
</form>
</div>
</body>
</html>
这是我的login.php:
<?php
// Include config file
require_once 'config.php';
// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Check if username is empty
if(empty(trim($_POST["username"]))){
$username_err = 'Please enter username.';
} else{
$username = trim($_POST["username"]);
}
// Check if password is empty
if(empty(trim($_POST['password']))){
$password_err = 'Please enter your password.';
} else{
$password = trim($_POST['password']);
}
// Validate credentials
if(empty($username_err) && empty($password_err)){
// Prepare a select statement
$sql = "SELECT username, password FROM users WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
// Set parameters
$param_username = $username;
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
if(mysqli_stmt_num_rows($stmt) == 1){
// Bind result variables
mysqli_stmt_bind_result($stmt, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
if(password_verify($password, $hashed_password)){
/* Password is correct, so start a new session and
save the username to the session */
if($stmt = mysqli_prepare($link)){
mysqli_stmt_bind_param($stmt, "ss", $param_username);
$param_username = $username;
if(mysqli_stmt_execute($stmt)){
} else {
echo "Oops! Something went wrong. Please try again later.";
}
}
session_start();
$_SESSION['username'] = $username;
header("location: welcome.php");
} else{
// Display an error message if password is not valid
$password_err = 'You have entered an invalid username or password.';
}
}
} else{
// Display an error message if username doesn't exist
$username_err = 'You have entered an invalid username or password.';
}
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
// Close statement
mysqli_stmt_close($stmt);
}
// Close connection
mysqli_close($link);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
<style type="text/css">
body{ font: 14px sans-serif; }
.wrapper{ width: 350px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Login</h2>
<p>Please fill in your credentials to login.</p>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post" autocomplete="off">
<div class="form-group <?php echo (!empty($username_err)) ? 'has-error' : ''; ?>">
<label>Username:<sup>*</sup></label>
<input type="text" name="username"class="form-control" value="<?php echo $username; ?>">
<span class="help-block"><?php echo $username_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($password_err)) ? 'has-error' : ''; ?>">
<label>Password:<sup>*</sup></label>
<input type="password" name="password" class="form-control">
<span class="help-block"><?php echo $password_err; ?></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Submit">
</div>
<p>Don't have an account? <a href="register.php">Sign up now</a>.</p>
</form>
</div>
</body>
</html>
答案 0 :(得分:3)
永远不会声明$username变量...我不知道你从哪里获取用户名,但无论在哪里,都应该使用它。
我看到您希望使用用户名作为更新和其他所有内容的主键。这很酷,不是我的个人方法,但那很好。由于我无法在您的代码中看到目前为止获取更新的用户名,因此我猜您使用的是$_SESSION或$_COOKIE。
无论情况如何,您都应该使用该信息来设置SQL查询的变量。否则它将完全为空,因此SQL查询实际上看起来像这样:
UPDATE `users` SET `password` = '$2y&scfncekr3kj437hdw8e7' WHERE `username` = ''
这根本不会做任何事。
你应该在>之前设置参数(变量)。
// Set parameters (variables)
$param_password = password_hash($password, PASSWORD_DEFAULT); // Creates a password hash
$param_username = $username; // this should be empty so far... maybe $_SESSION['username'] ??
// Bind parameters to the prepared statement
mysqli_stmt_bind_param($stmt, "ss", $param_password, $param_username);
我并不是说订单是个问题,因为$username永远不会被设置的事实,但它只是更清晰。