php更改密码脚本问题

时间:2011-04-22 06:32:22

标签: php mysql

我的网站会员部分有一个页面,允许用户更改密码。如果正确输入所有细节,它都能正常运行。

表格要求输入用户名,当前密码,新密码,确认新密码。

如果用户输入了错误的用户名,则表单不会更改其密码(按预期方式),而是将其指向确认页面而不是错误页面。

此外,如果用户输入了错误的密码,表单仍会更改密码并将其指向确认页面,而不是不更改密码并将其指向错误页面。

我的代码粘贴在下面,如果有人可以提供帮助,我会非常感激! 谢谢!

梅尔

php for change password form:

 <?php 

session_start();

$host="localhost"; // Host name 

$username="username"; // Mysql username 

$password="password"; // Mysql password 

$db_name="database"; // Database name 

$tbl_name="table"; // Table name 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 

mysql_select_db("$db_name")or die("cannot select DB");



$username = $_POST['username'];

$password = $_POST['password'];

$newpassword = $_POST['newpassword'];

$repeatnewpassword = $_POST['repeatnewpassword'];


$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

if(!$result) 
{ 
    header("location:error1.php"); 
} 

if ($row = mysql_fetch_assoc($result))
{ 
     header("location:error.php"); 
} 

if($newpassword==$repeatnewpassword) 

    $sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'"); 

if($sql) 
{ 
        header("location:success.php");
}
else
{ 
   header("location:error3.php");
}  

?>

5 个答案:

答案 0 :(得分:1)

你的sql应该是这样的:

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");

答案 1 :(得分:1)

你的问题就在这里 - 

if(!$result)

当用户输入错误的用户名时,查询会在数据库中搜索该用户,但不会找到该用户。因此结果将包含空数据集,但查询仍然有效,因为您可以查询数据库并返回空数据集。因此,除非发生数据库错误,否则!$result检查将始终评估为真。

您应该执行以下操作 -

,而不仅仅是检查$ result 
if($newpassword==$repeatnewpassword) 
{
    // User's provided new password and repeatpassword matches, so keep going forward,
    // query the database.

    $result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

    if($result)
    {
        // Database query successful. Now check if that username exists in the database.
        if(mysql_num_rows($result) <= 0)
        {
            // user has provided wrong username, take action accordingly
        }
        else
        {
            // Username found, now check for old password match
            $row = mysql_fetch_array($result);

            if($password==$row['password'])
            {
                // User's old password matches with DB. So, update password and
                // forward him to confirmation page
            }
            else
            {
                // User's old password doesn't match with db. Show appropriate message
            }
        }
    }
    else
    {
        // Some DB error occurred. Handle it appropriately.
    }
}
else
{
    // User's new and repeat password don't match, so take action accordingly
}

<强> P.S。

您的网站容易受到SQL Injection攻击。您应该至少清理您的输入,如下所示 - 

$username = mysql_real_escape_string($_POST['username']);

$password = mysql_real_escape_string($_POST['password']);

$newpassword = mysql_real_escape_string($_POST['newpassword']);

$repeatnewpassword = mysql_real_escape_string($_POST['repeatnewpassword']);

要了解更多信息,请转到此处:mysql_real_escape_string() manual

同样以简单的旧文本格式将密码存储在数据库中是另一个坏主意。即使您不应该看到您网站的用户提供的密码。使用md5()函数到encrypt密码,然后将其存储在数据库中。

答案 2 :(得分:0)

if(isset($_POST['submit'])){

$sql = "SELECT * FROM $tbl_name WHERE ".
       "username='$username' AND password = '$password' LIMIT 1";


$result = mysql_query($sql);

$numrow = mysql_num_rows($result);

if($numrows != 1){ /**go to error page**/ }

}

答案 3 :(得分:0)

这个

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

和这个

 if ($row = mysql_fetch_assoc($result))
{ 
     header("location:error.php"); 
}

表示如果用户输入了正确的用户名,它将重定向到错误页面

更改为

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");

答案 4 :(得分:0)

我已经将您的代码编辑为更简化的方式。

你应该试试这个:: 

<?php 

session_start();

$host="localhost"; // Host name 

$username="username"; // Mysql username 

$password="password"; // Mysql password 

$db_name="database"; // Database name 

$tbl_name="table"; // Table name 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 

mysql_select_db("$db_name")or die("cannot select DB");



$username = $_POST['username'];

$password = $_POST['password'];

$newpassword = $_POST['newpassword'];

$repeatnewpassword = $_POST['repeatnewpassword'];


$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '$password'");

if(!$result) 
{ 
    header("location:error1.php"); 
} 

if(mysql_num_rows($result)){
    if($newpassword==$repeatnewpassword){
        $sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");        
        if($sql) 
        { 
                header("location:success.php");
        }
        else
        {
            // In case when problem while updating your new password
           header("location:error3.php");
        }       
    } else {
        // In case when new-password and retype-password do not match
        header("location:error_password_not_matched.php");
    }
} else {
    // In case of you have not correct User name and password
    header("location:error.php"); 
}

?>
相关问题
最新问题