PHP和MySQL更改登录用户密码表单不更新密码

时间:2018-03-25 18:35:06

标签: php mysql pdo login warnings

我尝试允许用户在配置文件编辑页面中登录后更新其密码。我有两个问题。首先是我收到一条警告

  

警告:PDOStatement :: execute()最多需要1个参数,第115行

$stmt->execute(":password",$changed_password);

我尝试了不同的语法但在这里遇到错误。

第二个问题是密码实际上没有更新。这是代码(包括我如何为当前用户创建与db的连接)

<?php
  session_start();
  require_once 'class.user.php';
  $user_home = new USER();
  $msg = '';

  if(!$user_home->is_logged_in())
  {
     $user_home->redirect('signin.php');
  }

  $stmt = $user_home->runQuery("SELECT * FROM user WHERE id=:uid");
  $stmt->execute(array(":uid"=>$_SESSION['userSession']));
  $row = $stmt->fetch(PDO::FETCH_ASSOC);

  // print_r($row['learner_type']);
  ?>

以上代码位于我的文件的开头。 提交表单后会触发以下代码。

<?php
        if(isset($_POST['reset_password']))
        {
            $old_pass=$_POST['txtoldpassword'];
            $new_pass=$_POST['txtnewpass1'];
            $re_pass=$_POST['txtnewpass2'];

            if($row['password']==md5($old_pass)){
                if($new_pass==$re_pass){
                    $changed_password=md5($re_pass);
                    $email = $row['email'];
                    $query = $user_home->runQuery("UPDATE user SET password='$changed_password' WHERE email='$email'") or die("Could not change password at this time.");
                    $stmt->execute(":password",$changed_password);

                    ?>

                      <div class='alert alert-success alert-dismissible'>
                        <button class='close' data-dismiss='alert'>&times;</button>
                            <strong>Password Updated Successfully</strong>
                      </div>

                <?php
                }
                else{
                    ?>

                      <div class='alert alert-danger'>
                        <button class='close' data-dismiss='alert'>&times;</button>
                            <strong>Your new passwords do not match</strong>
                      </div>

                <?php
                }
            }
            else
            {
                ?>

                      <div class='alert alert-danger'>
                        <button class='close' data-dismiss='alert'>&times;</button>
                            <strong>Your old password is incorrect</strong>
                      </div>

            <?php
            }
        }
        ?>

感谢您提供任何帮助。请注意,我已经检查过$ email = $ row [&#39; email&#39;];它将返回当前登录的用户。

1 个答案:

答案 0 :(得分:1)

You're making several mistakes : SQL injection, bad PDO usage

SQL injection

Don't use variable right in your query. Use binding as you do in your connexion setup :

// wrong
$query = $user_home->runQuery("UPDATE user SET password='$changed_password' WHERE email='$email'")

// correct
$query = $user_home->runQuery("UPDATE user SET password=:password WHERE email=:email")

Bad PDO usage

You are using binding but your query doesn't contain what you are trying to bind

With the SQL injection fix you can try two options :

// bind with specific function
$query->bindParam(':password', $changed_password);
$query->bindParam(':email', $email);

// bind in execute() function
$query->execute([
    ':password' => $changed_password,
    ':email'    => $email,
]);

Read more about PDO and execute() function here : https://secure.php.net/manual/en/pdostatement.execute.php

相关问题
最新问题