我正在制作一个登录表单,当用户注册到网站时,他们将收到激活码和临时密码。
当用户注册时,他们的密码将立即散列到md5中。并在他们的电子邮件中收到激活码以激活帐户,然后在他们登录后立即提示他们更改密码。
问题是我仍然无法弄清楚我的代码在哪里出问题,因为它将无法更新并显示错误消息:“旧密码与数据库中的旧密码不匹配”。
谢谢
<?php
//error will be run on localhost, if online won’t showed up
error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));
//connection to database
$conn = new mysqli("localhost", "root", "", "db");
if ($conn->connect_errno) {
echo die("Failed to connect to MySQL: " . $conn->connect_error);
}
//process if submitted
if($_POST['submit']){
//variable to save the inputted data into database
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$password_confirmation = $_POST['password_confirmation'];
//check first on database
//encrypt -> md5($user_password)
$old_password = md5($old_password);
$check = $conn->query("SELECT user_email FROM register_user WHERE user_password='$old_password'");
if($check->num_rows)
{
//condition if old password same as the database
//minimum length of password is 5
if(strlen($new_password) >= 5)
{
//if new password is 5 character, continue below
//condition of new password has to be same as password confirmation
if($new_password == $password_confirmation)
{
//if all condition is true, continue to change to database
//query UPDATE SET password = encrypt md5 new_password
$new_password = md5($new_password);
$user_email = $_SESSION['user_email']; //session from login
$update = $conn->query("UPDATE register_user SET user_password='$new_password' WHERE user_email='$user_email'");
if($update)
{
//if update successful
echo 'Password successfully changed’;
}
else
{
//if failed
echo 'failed to change password';
}
}
else
{
//if password confirmation not the same as new password
echo 'password confirmation not same';
}
}
else
{
//if new password less than 5
echo 'Minimum password has to be 5 character';
}
}
else
{
//if old password not the same as in database
echo 'old password not matched';
}
}
?>
<!—reset password form -->
<form method="post" action="">
<table>
<tr>
<td>Old Password</td>
<td>:</td>
<td><input type="password" name="old_password" required></td>
<tr>
<tr>
<td>New Password</td>
<td>:</td>
<td><input type="password" name="new_password" required></td>
<tr>
<tr>
<td>Password Confirmation</td>
<td>:</td>
<td><input type="password" name="password_confirmation" required></td>
<tr>
<tr>
<td> </td>
<td></td>
<td><input type="submit" name="submit" value="change"></td>
<tr>
</table>
</form>
答案 0 :(得分:0)
请研究SQL注入以及如何使用绑定参数,因为下面的代码并不安全,仅用于回答您的问题。
<?php
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$password_confirmation = $_POST['password_confirmation'];
//encrypt -> md5($user_password)
$old_password = md5($old_password);
//getting user email
$user_email= $_SESSION['user_email'];
//checking the database
$check = $conn->query("SELECT `user_email` FROM register_user WHERE `user_password`='$old_password' AND `user_email`='$user_email' ");
if(($check->num_rows)==1)
{
//minimum length of new password is 5
if(strlen($new_password) >= 5)
{
if($new_password == $password_confirmation)
{
//query UPDATE SET password = encrypt md5 new_password
$new_password = md5($new_password);
$user_email = $_SESSION['user_email'];
$update = $conn->query("UPDATE register_user SET `user_password`='$new_password' WHERE `user_email`='$user_email' ");
if(($conn->affected_rows)==1)
{
//if success
echo 'Password has been updated';
}
else
{
//if fail
echo 'Fail to update';
}
}
else
{
//if new password and password confirmation different
echo 'password confirmation is not matched';
}
}
else
{
//if the password less than 5
echo 'Minimum password is 5 character';
}
}
elseif(($conn->affected_rows)==0)
{
echo 'No such user exists';
}
elseif(($conn->affected_rows)>1)
{
echo 'Two or more users currently share the same email address please fix this error';
}
?>