MD5在mysql查询中无效

时间:2019-03-28 14:37:22

标签: php mysql

另一位程序员致力于忘记密码脚本的校验和匹配,我做了GUI的工作。我很难理解查询的MD5部分。通过测试,我看到了这个问题。那么如何获得密码更改成功的条件才能命中呢?我传入了类似reset_pass.php?encrypt = cd00692c3bfe59267d5ecfac5310286c&action = reset之类的内容(测试数据)。感谢您的帮助

我对此进行了测试,以查看md5部分是问题所在(我成功了,但是删除该密码时未更改密码)。 

...

function IsValidLink($encrypt)
{
    global $mysql_connect;  
    $ResultVal=false;

    $Query = "SELECT LNK.resetid FROM password_reset_requests LNK INNER JOIN users USI ON LNK.user_id=USI.id WHERE md5((90*3)+resetid)='".$encrypt."' AND DATE_ADD(dtsent , INTERVAL 4 HOUR) > now()";
    $result = mysql_query($Query);
    $RowCount = mysql_num_rows($result);
    if($RowCount >0)
        $ResultVal=true;    
    return $ResultVal;
}


if(isset($_GET['action']))
{          
    if($_GET['action']=="reset")
    {        
        $encrypt = mysql_real_escape_string($_GET['encrypt']);
        $Query = sprintf("SELECT  resetid FROM password_reset_requests WHERE md5((90*3)+resetid)='%s'",$encrypt); 
        $result = mysql_query($Query,$mysql_connect);
        $RowCount = mysql_num_rows($result);        
               if($RowCount>0)
        {
            if(!IsValidLink($encrypt))
                $ErrMsg = "Reset password token has expired. please try again with new  <a href=\"".$ForgotPass_URL."\">Forget Password</a>";       
        }
        else
            $ErrMsg = "Invalid password token. please try again with new  <a href=\"".$ForgotPass_URL."\">Forget Password</a>";
    }
}
elseif(isset($_POST['action']))
{
    $encrypt    = mysql_real_escape_string($_POST['encrypt']);   
    $NewPassword   = mysql_real_escape_string($_POST['newpass']);   


if(IsValidLink($encrypt))
    {
        $Query = "SELECT LNK.resetid,LNK.user_id,USI.email,USI.name,USI.password FROM password_reset_requests LNK INNER JOIN users USI ON LNK.user_id=USI.id WHERE md5((90*3)+resetid)='".$encrypt."'";
        $result = mysql_query($Query,$mysql_connect);   
        if($objResult=mysql_fetch_object($result))
        {
            $UpdateSQL = "UPDATE users SET password='".md5($NewPassword)."' WHERE id='".$objResult->user_id."'";
            mysql_query($UpdateSQL,$mysql_connect);         
            $UpdateSQL="UPDATE password_reset_requests SET status='used',dtreset='".date('Y-m-d h:i:s')."',ip='".get_client_ip_env()."' WHERE resetid=".$objResult->resetid;            
            mysql_query($UpdateSQL,$mysql_connect);         

...
        }
        else
            $ErrMsg = "System Error. Try again later";  
    }
    else
    {
        $ErrMsg = "Reset password token has expired. please try again with new  <a href=\"".$ForgotPass_URL."\">Forget Password</a>";
    }

...
if($ErrMsg != "")
    echo $ErrMsg;


else if ($SucMsg !="")
    echo $SucMsg;

...


best way to get a success message with password changed

0 个答案:

没有答案
相关问题
最新问题