我尝试允许用户在配置文件编辑页面中登录后更新其密码。我有两个问题。首先是我收到一条警告
警告:PDOStatement :: execute()最多需要1个参数,第115行
是
$stmt->execute(":password",$changed_password);
我尝试了不同的语法但在这里遇到错误。
第二个问题是密码实际上没有更新。这是代码(包括我如何为当前用户创建与db的连接)
<?php
session_start();
require_once 'class.user.php';
$user_home = new USER();
$msg = '';
if(!$user_home->is_logged_in())
{
$user_home->redirect('signin.php');
}
$stmt = $user_home->runQuery("SELECT * FROM user WHERE id=:uid");
$stmt->execute(array(":uid"=>$_SESSION['userSession']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
// print_r($row['learner_type']);
?>
以上代码位于我的文件的开头。 提交表单后会触发以下代码。
<?php
if(isset($_POST['reset_password']))
{
$old_pass=$_POST['txtoldpassword'];
$new_pass=$_POST['txtnewpass1'];
$re_pass=$_POST['txtnewpass2'];
if($row['password']==md5($old_pass)){
if($new_pass==$re_pass){
$changed_password=md5($re_pass);
$email = $row['email'];
$query = $user_home->runQuery("UPDATE user SET password='$changed_password' WHERE email='$email'") or die("Could not change password at this time.");
$stmt->execute(":password",$changed_password);
?>
<div class='alert alert-success alert-dismissible'>
<button class='close' data-dismiss='alert'>×</button>
<strong>Password Updated Successfully</strong>
</div>
<?php
}
else{
?>
<div class='alert alert-danger'>
<button class='close' data-dismiss='alert'>×</button>
<strong>Your new passwords do not match</strong>
</div>
<?php
}
}
else
{
?>
<div class='alert alert-danger'>
<button class='close' data-dismiss='alert'>×</button>
<strong>Your old password is incorrect</strong>
</div>
<?php
}
}
?>
感谢您提供任何帮助。请注意,我已经检查过$ email = $ row [&#39; email&#39;];它将返回当前登录的用户。
答案 0 :(得分:1)
You're making several mistakes : SQL injection, bad PDO usage
Don't use variable right in your query. Use binding as you do in your connexion setup :
// wrong
$query = $user_home->runQuery("UPDATE user SET password='$changed_password' WHERE email='$email'")
// correct
$query = $user_home->runQuery("UPDATE user SET password=:password WHERE email=:email")
You are using binding but your query doesn't contain what you are trying to bind
With the SQL injection fix you can try two options :
// bind with specific function
$query->bindParam(':password', $changed_password);
$query->bindParam(':email', $email);
// bind in execute() function
$query->execute([
':password' => $changed_password,
':email' => $email,
]);
Read more about PDO and execute()
function here : https://secure.php.net/manual/en/pdostatement.execute.php