我正在构建此代码来更改简单登录系统的密码(我知道它并不十分安全)。现在,我正在对以下代码进行编码,但是当我执行该代码时,它会发出HTTP 500错误,因此我检查了错误,但找不到任何错误。我在PHP验证程序中输入了它。毫无疑问。你们中的任何人也许知道我现在没看见吗?
<?php
session_start();
if (isset($_POST['updatepassword'])) {
$user = $_POST['username'];
$mysqli = new mysqli('localhost', 'creatalo_mika', 'Temppass100_', 'creatalo_lscdb') or die("verbinding error");
$sql = $mysqli->query("SELECT * FROM users_table WHERE username='$user'") or die("selection error");
$row = mysqli_fetch_assoc($sql);
$dbpass = $row['password'];
$newpass = $_POST['password'];
$pass = $_POST['passwordold'];
$passen = md5(md5('dsgf'.$pass.'sadf'));
if ($passen == $dbpass) {
$newpass = md5(md5('dsgf'.$newpass.'sadf'));
$sql->query("UPDATE users_table SET password='$newpass' WHERE username='$user'") or die($mysqli->error);
header("location: ../index.php ") or die($mysqli->error);
} else {
header("location: ../index.php#notgood ") or die($mysqli->error);
}
}
答案 0 :(得分:0)
您在SQL injection,password hashing上遇到问题,您完全confused about die($mysqli->error),对此我不怪。我修复了您的问题,以向您展示代码的外观,但是,如果您要创建身份验证系统,则应该首先阅读有关安全性的更多信息。
session_start();
if (isset($_POST['updatepassword'])) {
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'creatalo_mika', 'Temppass100_', 'creatalo_lscdb');
$user = $_POST['username'];
$stmt = $mysqli->prepare("SELECT * FROM users_table WHERE username=?");
$stmt->bind_param('s', $user);
$stmt->execute();
$row = $stmt->get_result()->fetch_assoc();
if (password_verify($_POST['passwordold'], $row['password'])) {
$newpass = password_hash($_POST['password'], PASSWORD_DEFAULT);
$stmt = $mysqli->prepare("UPDATE users_table SET password=? WHERE username=?");
$stmt->bind_param('ss', $newpass, $user);
$stmt->execute();
exit(header("location: ../index.php "));
} else {
exit(header("location: ../index.php#notgood "));
}
}
最重要的是启用错误报告: How to get the error message in MySQLi?