问:编辑新密码 PHP Mysql
Q: Edit New Password PHP Mysql
有人帮我写代码。我创建了一个包含当前密码、新密码和确认密码的编辑密码页面。这是我的代码:
edit_password.php
<form action="editpassword_process.php" method="post">
<table>
<tr class="form-group has-feedback has-success">
<td><h4>Current Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="currentpassword" name="currentpassword"></div></td> <!-- class="input-sm" required -->
<td><span id="messagebox"></span></td>
</tr>
<tr>
<td><h4>New Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword1" name="newpassword1"></div></td> <!-- required class="input-sm" -->
</tr>
<tr>
<td><h4>Confirm Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword2" name="newpassword2" onKeyUp="checkPass(); return false;"></div></td> <!-- required class="input-sm" -->
<span id="confirmMessage" class="confirmMessage"></span>
</tr>
</table>
<button class="btn btn-info">Submit</button>
</form>
这是我的 editpassword_process.php
代码
<?php
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
$res = mysql_query("SELECT user_password FROM `tbl_userlist` WHERE userid = '".$_SESSION['userid']."'");
if($currentpw != mysql_result($res, 0)){
echo "You entered an incorrect password";
}
if($newpw = $confirmnewpw){
$sql = mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'");
}
if($sql){
echo "You have successfully changed your password";
}
else{
echo "The new password and confirm pasword fields must be the same";
}
?>
当我点击提交时,会出现一个警告,显示验证成功但我的数据库没有更新。
提前致谢
您的代码有一些问题,但我将从您的用户密码未更新的原因开始。您尚未在代码中的任何地方启动会话。在任何使用会话的地方,都需要以以下方式启动它们:
session_start();
这应该是您打开 <?php 标签后要做的第一件事。
您在许多 if(){.. 比较块中分配 (=) 而不是比较 (==),这些将计算为 TRUE,运行条件。
糟糕的是,您使用的是已弃用的库。自 PHP7 起,所有 mysql_* 函数均已弃用并删除。最好通过学习这两个库中的任何一个来领先于 curve-ball:
它们中的任何一个都可以减轻您在当前 易受攻击的 代码中遇到的任何 SQL 注入。更不用说您以纯文本格式存储密码这一事实。想象一下 when (not if) 你的数据库的影响被黑了,希望这不是生产环境。
PHP 使密码散列变得超级简单,只需查看:
他们会整理您的密码散列。
为了简化您正在做的事情,这将是一个 PDO 示例以及您的密码散列,以向您展示实现您正在尝试做的事情是多么简单:
<?php
session_start();
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
// start your PDO object
$db = new PDO('mysql:host=localhost;dbname=DATABASE', 'username','password');
$statement = $db->prepare("SELECT user_password FROM `tbl_userlist` WHERE userid = :userid");
$statement->execute(array(':userid' => $_SESSION['userid']));
// check if we have a row
if ($statement->rowCount() > 0) {
$data = $statement->fetch(PDO::FETCH_ASSOC);
$current_password_hash = $data['user_password'];
// check current password is correct.
if (!password_verify($currentpw, $current_password_hash)) {
// wrong "current" password.
die("You entered an incorrect password");
}
// check that both passwords match.
if (trim($confirmnewpw) !== trim($newpw)) {
// new passwords dont match
die("The new password and confirm pasword fields must be the same");
}
// can only get here if passwords match.
// so hash the new password and store in the database.
$newpwhash = password_hash(trim($confirmnewpw), PASSWORD_BCRYPT, array('cost' => 11));
// now lets update table to add new password hash.
$update = $db->prepare("UPDATE tbl_userlist SET user_password = :newpwhash WHERE userid = :userid");
if($update->execute(array(':newpwhash' => $newpwhash, ':userid' => $_SESSION['userid']))) {
// password updated successfully.
die("You have successfully changed your password");
} else {
// failed to update, check logs to ammend.
die('Failed to update password.');
}
} else {
// wrong "current" password.
die("No password found for you...");
}
不用说,这意味着您也必须更改登录过程,但这很简单。您需要做的就是获取密码和安全带 password_verify(),瞧,您已经排序了。
(更不用说,更安全。)
更改以下内容
<?php
session_start(); // Start session as you are using it
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
$res = mysql_query("SELECT user_password FROM `tbl_userlist` WHERE userid = '".$_SESSION['userid']."'");
if($currentpw != mysql_result($res, 0)){
echo "You entered an incorrect password";
}
if($newpw = $confirmnewpw){ // Compare using == or ===
$sql = mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'");
// mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'", $connectionVar);
}
if($sql){ // Here You have not executed the query now use $connection->query($sql)
// OR mysql_query($connection,$sql); any other
echo "You have successfully changed your password";
}
else{
echo "The new password and confirm password fields must be the same";
} ?>
当您 运行 此代码时:
"UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'"
这意味着您使用会话中的标准用户 ID 更新 tbl_userlist。如果您使用代码 session_start();
启动会话,则可以使用会话中的值
有人帮我写代码。我创建了一个包含当前密码、新密码和确认密码的编辑密码页面。这是我的代码:
edit_password.php
<form action="editpassword_process.php" method="post">
<table>
<tr class="form-group has-feedback has-success">
<td><h4>Current Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="currentpassword" name="currentpassword"></div></td> <!-- class="input-sm" required -->
<td><span id="messagebox"></span></td>
</tr>
<tr>
<td><h4>New Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword1" name="newpassword1"></div></td> <!-- required class="input-sm" -->
</tr>
<tr>
<td><h4>Confirm Password</h4></td>
<td><div class="control-group input-lg"><input type="password" placeholder="" passfield="true" id="newpassword2" name="newpassword2" onKeyUp="checkPass(); return false;"></div></td> <!-- required class="input-sm" -->
<span id="confirmMessage" class="confirmMessage"></span>
</tr>
</table>
<button class="btn btn-info">Submit</button>
</form>
这是我的 editpassword_process.php
代码<?php
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
$res = mysql_query("SELECT user_password FROM `tbl_userlist` WHERE userid = '".$_SESSION['userid']."'");
if($currentpw != mysql_result($res, 0)){
echo "You entered an incorrect password";
}
if($newpw = $confirmnewpw){
$sql = mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'");
}
if($sql){
echo "You have successfully changed your password";
}
else{
echo "The new password and confirm pasword fields must be the same";
}
?>
当我点击提交时,会出现一个警告,显示验证成功但我的数据库没有更新。
提前致谢
您的代码有一些问题,但我将从您的用户密码未更新的原因开始。您尚未在代码中的任何地方启动会话。在任何使用会话的地方,都需要以以下方式启动它们:
session_start();
这应该是您打开 <?php 标签后要做的第一件事。
您在许多 if(){.. 比较块中分配 (=) 而不是比较 (==),这些将计算为 TRUE,运行条件。
糟糕的是,您使用的是已弃用的库。自 PHP7 起,所有 mysql_* 函数均已弃用并删除。最好通过学习这两个库中的任何一个来领先于 curve-ball:
它们中的任何一个都可以减轻您在当前 易受攻击的 代码中遇到的任何 SQL 注入。更不用说您以纯文本格式存储密码这一事实。想象一下 when (not if) 你的数据库的影响被黑了,希望这不是生产环境。
PHP 使密码散列变得超级简单,只需查看:
他们会整理您的密码散列。
为了简化您正在做的事情,这将是一个 PDO 示例以及您的密码散列,以向您展示实现您正在尝试做的事情是多么简单:
<?php
session_start();
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
// start your PDO object
$db = new PDO('mysql:host=localhost;dbname=DATABASE', 'username','password');
$statement = $db->prepare("SELECT user_password FROM `tbl_userlist` WHERE userid = :userid");
$statement->execute(array(':userid' => $_SESSION['userid']));
// check if we have a row
if ($statement->rowCount() > 0) {
$data = $statement->fetch(PDO::FETCH_ASSOC);
$current_password_hash = $data['user_password'];
// check current password is correct.
if (!password_verify($currentpw, $current_password_hash)) {
// wrong "current" password.
die("You entered an incorrect password");
}
// check that both passwords match.
if (trim($confirmnewpw) !== trim($newpw)) {
// new passwords dont match
die("The new password and confirm pasword fields must be the same");
}
// can only get here if passwords match.
// so hash the new password and store in the database.
$newpwhash = password_hash(trim($confirmnewpw), PASSWORD_BCRYPT, array('cost' => 11));
// now lets update table to add new password hash.
$update = $db->prepare("UPDATE tbl_userlist SET user_password = :newpwhash WHERE userid = :userid");
if($update->execute(array(':newpwhash' => $newpwhash, ':userid' => $_SESSION['userid']))) {
// password updated successfully.
die("You have successfully changed your password");
} else {
// failed to update, check logs to ammend.
die('Failed to update password.');
}
} else {
// wrong "current" password.
die("No password found for you...");
}
不用说,这意味着您也必须更改登录过程,但这很简单。您需要做的就是获取密码和安全带 password_verify(),瞧,您已经排序了。
(更不用说,更安全。)
更改以下内容
<?php
session_start(); // Start session as you are using it
include('connection.php');
$currentpw = $_POST['currentpassword'];
$newpw = $_POST['newpassword1'];
$confirmnewpw = $_POST['newpassword2'];
$res = mysql_query("SELECT user_password FROM `tbl_userlist` WHERE userid = '".$_SESSION['userid']."'");
if($currentpw != mysql_result($res, 0)){
echo "You entered an incorrect password";
}
if($newpw = $confirmnewpw){ // Compare using == or ===
$sql = mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'");
// mysql_query("UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'", $connectionVar);
}
if($sql){ // Here You have not executed the query now use $connection->query($sql)
// OR mysql_query($connection,$sql); any other
echo "You have successfully changed your password";
}
else{
echo "The new password and confirm password fields must be the same";
} ?>
当您 运行 此代码时:
"UPDATE tbl_userlist SET user_password = '$newpw' WHERE userid = '".$_SESSION['userid']."'"
这意味着您使用会话中的标准用户 ID 更新 tbl_userlist。如果您使用代码 session_start();