使用PHP和AJAX更改mysql密码

Question

我正在尝试更改密码模式。我的问题是，如果要更新密码，它将显示：“用户名不正确”。我怎么解决这个问题？我正在使用password = PASSWORD方法对密码进行哈希处理。我试图用$ _SESSION [“ username”]绑定param，但是没有用。

index.php

<form name="resetform" action="changepass.php" id="resetform" class="passform" method="post" role="form">
                    <h3>Change Your Password</h3>
                    <br />
                    <input type="text" name="username" value="<?php echo $_SESSION["username"]; ?>" ></input>
                    <label>Enter Old Password</label>
                    <input type="password" class="form-control" name="old_password" id="old_password">
                    <label>Enter New Password</label>
                    <input type="password" class="form-control" name="new_password" id="new_password">
                    <label>Confirm New Password</label>
                    <input type="password" class="form-control"  name="con_newpassword"  id="con_newpassword" />
                    <br>
                    <input type="submit" class="btn btn-warning" name="password_change" id="submit_btn" value="Change Password" />
                </form>

            <!--display success/error message-->
            <div id="message"></div>

<script>
   $(document).ready(function() {
        var frm = $('#resetform');
        frm.submit(function(e){
            e.preventDefault();

            var formData = frm.serialize();
            formData += '&' + $('#submit_btn').attr('name') + '=' + $('#submit_btn').attr('value');
            $.ajax({
                type: frm.attr('method'),
                url: frm.attr('action'),
                data: formData,
                success: function(data){
                    $('#message').html(data).delay(3000).fadeOut(3000);
                },
                error: function(jqXHR, textStatus, errorThrown) {
                    $('#message').html(textStatus).delay(2000).fadeOut(2000);
                }

            });
        });
    });
</script>

changepass.php

include_once 'include/connection.php';

    if (isset($_POST['password_change'])) {

        $username = strip_tags($_POST['username']);
        $password = strip_tags($_POST['old_password']);
        $newpassword = strip_tags($_POST['new_password']);
        $confirmnewpassword = strip_tags($_POST['con_newpassword']);

        // match username with the username in the database
        $sql = "SELECT * FROM `user` WHERE `username` = ? AND password = PASSWORD(?)";

        $query = $connect->prepare($sql);
        $query->bindParam(1, $username, PDO::PARAM_STR);
        $query->bindParam(2, $password, PDO::PARAM_STR);

        if($query->execute() && $query->rowCount()){
            $hash = $query->fetch();
            if ($password == $hash['password']){
                if($newpassword == $confirmnewpassword) {
                    $sql = "UPDATE `user` SET `password` = PASSWORD(?) WHERE `username` = ?";

                    $query = $connect->prepare($sql);
                    $query->bindParam(1, $newpassword, PDO::PARAM_STR);
                    $query->bindParam(2, $username, PDO::PARAM_STR);
                    if($query->execute()){
                        echo "Password Changed Successfully!";
                    }else{
                        echo "Password could not be updated";
                    }
                } else {
                    echo "Passwords do not match!";
                }
            }else{
                echo "Please type your current password accurately!";
            }
        }else{
            echo "Incorrect username";
        }
    }

Answer 1

您的第一个主要问题是您对strip_tags的使用，我不确定是谁告诉您在输入时执行此操作，但这是一个非常糟糕的做法。如果删除密码输入上的标签，则会降低使用<的任何密码的安全性。

strip_tags('A<dsf$tgee!'); // a strong password of 'A<dsf$tgee!' becomes a weak password of 'A'.

---

此条件也永远不会为真：

$password == $hash['password']

密码是通过MySQL的PASSWORD（）函数进行哈希处理的，因此纯文本$ password永远不会与MySQL中的密码列匹配。