I am doing a password reset page for my website and when a user puts a new password on the <form method="post" action="passVerif.php"> it goes to the PHP with this code:
Until now I cannot make the php compare the two new entered passwords to verify if they are equal or not, it simply jumps over that part.
P.S. don't mind the $senha = md5($password) it is like this for easy troubleshoot on localhost (MAMP).
<?php
session_start();
include("connectivity.php");
$user_id = $_SESSION['ResetUtilizadorID'];
$password1 = $_POST['password1'];
$password2 = $_POST['password2'];
$sql = mysqli_query($conn, "SELECT FROM usuarios WHERE id =".$user_id."");
$password = $password1;
$senha = md5($password);
$adminID = $_SESSION['usuarioNiveisAcessoId'];
if (strcmp($user_id,$adminID) == 0) {
$_SESSION['avisoReset'] = "not possible to change admin password.";
header('Location: ../login/reset_password.php');
} else {
while ($row = mysqli_fetch_array($query)) {
if ($senha == $row['senha']){
$_SESSION['avisoReset'] = "password taken";
header('Location: ../login/reset_password.php');
}
}
if ($password1 == $password2){
mysqli_query($conn, "UPDATE usuarios SET senha = '".$senha."' WHERE id='".$user_id."'");
$sql = 'SELECT * FROM usuarios';
$query = mysqli_query($conn, $sql);
if (!$query) {
die ('SQL Error: ' . mysqli_error($conn));
}
$_SESSION['avisoReset'] = "new passoword set";
//header('Location: ../login/reset_password.php');
} else {
$_SESSION['avisoReset'] = "Passwords not equal!";
header('Location: ../login/reset_password.php');
}
}
?>
答案 0 :(得分:0)
Why are you using strpos? strpos finds the position of the first occurrence of a substring in a string. So the password could be a subset of another string (the stored password) and still evaluate to true for your use case.
if (strpos($user_id,$adminID) == true)
You should instead use strcmp (Binary safe string comparison):
if (strcmp($user_id,$adminID) == 0)
答案 1 :(得分:0)
我通过添加用户名然后将用户输入数据与数据库进行比较来解决了这个问题。所以多个用户的问题任何机会使用相同的密码都是好的。