所以我正在尝试设置一个新的密码页
我有一个忘记密码页面,我通过生成一个令牌来向用户发送电子邮件,这将帮助我使链接仅可用一次,一旦生成密码,令牌将变为NULL
这是链接的模板
$url = "..../test.php?token=$str&email=$email";
我收到了电子邮件中的链接,然后当我打开页面时,如果令牌不正确,我会收到错误
<form action="test.php" method="post" class="login100-form validate-form">
<div class="wrap-input100 validate-input m-b-50" data-validate="Enter password">
<input type="password" class="input100" name="lalala" required/>
<span class="focus-input100" data-placeholder="Parola"></span>
</div>
<?php
ini_set("display_errors", "1");
error_reporting(E_ALL);
if (isset($_GET["token"]) && isset($_GET["email"])) {
$connection = new mysqli('myhostr.com', 'xxxxxxxxx', 'xxxxxxxxx', 'xxxxxx');
$email = $connection->real_escape_string($_GET["email"]);
$token = $connection->real_escape_string($_GET["token"]);
$data = $connection->query("SELECT id FROM users WHERE email='$email' AND token='$token' AND token <> '' ");
if (isset($_POST["register"]))
if ($data->num_rows > 0)
{
$str = $connection->real_escape_string($_POST["lalala"]);
$password = sha1($str);
$connection->query("UPDATE users SET password = '$password', token = '' WHERE email='$email'");
echo "<div class='alert success'>
New password is: $str
</div>";}
if ($data->num_rows > 0)
{
echo "<div class='alert'>
<span class='closebtn'>×</span>
Invalid link!
</div>";
}
} else {
header("Location: login.php");
exit();
}
?>
<input type="submit" class="login100-form-btn" name="register" value="Inregistrare" required />
<br><br>
</form>
如果令牌不正确我得到错误,但是如果我有好的令牌并且我按下注册按钮它会将我重定向到login.php页面并且在数据库中,密码将保持不变并且令牌将是相同的(不应该是NULL)。
我没有错误。
答案 0 :(得分:0)
您需要单独处理重置链接和更新密码表单。收到重置链接后,将显示更新表单。收到更新表单后,您将更新密码。
我还展示了如何使用预处理语句而不是替换变量,以防止SQL注入。
<?php
ini_set("display_errors", "1");
error_reporting(E_ALL);
if (isset($_GET["token"]) && isset($_GET["email"])) {
// Process reset link
$token = $_GET["token"];
$email = $_GET["email"];
$connection = new mysqli(...);
$statement = $connection->prepare("SELECT id FROM users WHERE email= ? AND token= ? AND token <> '' ");
$statement->bind_param("ss", $email, $token);
$statement->execute();
if ($statement->fetch()) {
?>
Enter the new password for <?php echo $email; ?>:
<form action="test.php" method="post" class="login100-form validate-form">
<input type="hidden" name="email" value="<?php echo $email; ?>">
<input type="hidden" name="token" value="<?php echo $token; ?>">
<div class="wrap-input100 validate-input m-b-50" data-validate="Enter password">
<input type="password" class="input100" name="lalala" required/>
<span class="focus-input100" data-placeholder="Parola"></span>
</div>
<input type="submit" class="login100-form-btn" name="register" value="Inregistrare" />
</form>
} else {
echo "<div class='alert'>
<span class='closebtn'>×</span>
Invalid link!
</div>";
}
exit();
}
if (isset($_POST["register"])) {
// Process password form
$token = $_POST["token"];
$email = $_POST["email"];
$password = password_hash($_POST["lalala"]);
// Verify that the token is still correct
$statement = $connection->prepare("SELECT id FROM users WHERE email= ? AND token= ? AND token <> '' ");
$statement->bind_param("ss", $email, $token);
$statement->execute();
if ($statement->fetch()) {
$statement = $connection->prepare("UPDATE users SET password = ?, token = '' WHERE email=? AND token = ?");
$statement->bind_param("sss", $password, $email, $token);
$statement->execute();
echo "<div class='alert success'>
New password is: $str
</div>";
} else {
echo "<div class='alert'>
<span class='closebtn'>×</span>
Invalid token!
</div>";
}
exit();
}
header("Location: login.php");
exit();
?>