可能重复:
forget password page, creating a generated password to email to the user.
我正在尝试创建更改密码页面。下面的代码应该检查以确保用户在数据库中,确认当前密码并允许他们更改密码。它验证新密码是否正确检查以确保它们是相同且具有一定长度,但如果用户名不在数据库中并且它表示当前用户的密码,则它不会返回错误消息数据库错了。我认为它不能正确匹配哈希密码,但我不确定。任何人都可以帮我解决这些问题。谢谢。
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Change Password Confrim</title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$database = "User";
$er = mysql_select_db($db_username);
if (!$er)
{
print ("Error - Could not select the database");
exit;
}
//////////Collect the form data ////////////////////
$username =$_P0ST['username'];
$cur_password=$_POST['cur_password'];
$password=$_POST['password'];
$password2=$_POST['password2'];
/////////////////////////
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$username = mysql_real_escape_string($username);
$cur_password = mysql_real_escape_string($cur_password);
//Setting flags for checking
$status = "OK";
$msg="";
//Checking to see if password is at least 3 char max 8
if ( strlen($password) < 3 or strlen($password) > 15 )
{
$msg=$msg."Password must be more than 3 char legth and maximum 15 char lenght<br/>";
$status= "NOTOK";
}
//Checking to see if both passwords match
if ( $password <> $password2 )
{
$msg=$msg."Both passwords are not matching<br/>";
$status= "NOTOK";
}
$CorrectUser = mysql_query("SELECT * FROM User WHERE username ='$username' AND password = MD5('$cur_password')");
$row = mysql_fetch_array($CorrectUser);
if ($row['username'] == $username)
{
$status = "OK";
}
else {
print("Your username is not in the database. Please check that you enter the correct username and try again.");
$status = "NOTOK";
}
if ($row['cur_password'] == MD5('$cur_password'))
{
$status = "OK";
}
else
{
print("You entered the wrong current passowrd");
$status = "NOTOK";
}
if($status<>"OK"){
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
else
{ // if all validations are passed.
if(mysql_query("UPDATE User SET password = MD5('$password') WHERE username ='$username'"))
{
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully.</font></center>";
}
else
{
echo "<font face='Verdana' size='2' color=red><center>Sorry <br> Failed to change password.</font></center>";
}
}
?>
<center>
<br><br><a href='Settings.html'>Settings Page</a></center>
</body>
</html>
答案 0 :(得分:2)
只需从SQL查询中删除AND password = MD5('$cur_password')
即可。这样您就可以找到用户密码是否正确。您的PHP测试$row['cur_password'] == MD5('$cur_password')
就足够了;你不需要把它放在你的SQL查询中。
答案 1 :(得分:0)
PHP专栏:
if ($row['cur_password'] == MD5('$cur_password'))
应该是
if ($row['cur_password'] == MD5($cur_password))
但是,您似乎已经在数据库中检查了密码。
此外,如果密码和密码2不匹配,则设置$ status ='NOTOK',但忽略该结果。即:如果您的密码不匹配&amp; password2,但是匹配的用户/密码,它仍然会更新。
除非您需要使用无盐MD5,否则添加盐可能是明智的。
答案 2 :(得分:0)
首先,这条线不行
$CorrectUser = mysql_query("SELECT * FROM User WHERE username ='$username' AND password = MD5('$cur_password')");
这样看......:
SELECT * FROM User WHERE username ='BOB' AND password = 32RE5446DDGDDDYHBD" <-- THE QUOTES ARE MISSING HERE
试试这样:
$CorrectUser = mysql_query("SELECT * FROM User WHERE username ='".$username."' AND password = '".MD5($cur_password)."'");
“隔离”变量是一种很好的做法,它避免了很多错误。