允许用户更改密码
Allow user to change password
我试图让我网站的登录用户能够更改他们的密码,然后该密码将在我的数据库中更新。当我单击提交按钮时,我在 'where clause' 中得到 'Unknown column '[用户名]'。我尝试了多种方法,但似乎无法正常工作。我是 PHP 的初学者,所以没有广泛的技能,所以我不确定问题出在哪里。如果有人可以帮助我,我将不胜感激,谢谢。
<?php
session_start();
require_once ("db_connect.php");
require_once($_SERVER['DOCUMENT_ROOT'] . '/functions/functions.php');
$oldpw = ($_POST['oldpw']);
$newpw = ($_POST['newpw']);
$conpw = ($_POST['conpw']);
$currentpw = $_SESSION['password'];
if ($_POST['change'] == 'Change') {
if ($oldpw && $newpw && $conpw) {
if ($newpw == $conpw) {
if ($db_server){
mysqli_select_db($db_server, $db_database);
$oldpw = salt($currentpw);
// check whether username exists
$query = "SELECT password FROM users WHERE 'username'= '" . $_SESSION['username'] . "'";
$result = mysqli_query($db_server, $query);
if(!$result){
$message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
$newpw = salt($newpw);
$query = "UPDATE users SET password = '$newpw' WHERE username = " . $_SESSION['username'] . "";
mysqli_query($db_server, $query) or
die("Insert failed. " . mysqli_error($db_server));
$message = "<p class='message'>Your password has been changed!</p>";
// Process further here
mysqli_free_result($result);
}
}else{
$message = " <p class='message'>Your current password is incorrect.</p>";
}
}else{
$message = "<p class='message'>Your new passwords do not match.</p>";
}
}else{
$message = "<p class='message'>Please fill in all fields.</p>";
}
}
?>
这是我用过的html:
<form action='change-password.php' method='post' id="register-form">
<?php echo $message; ?>
<input class="password-field" type='password' name='oldpw' value='<?php echo $username; ?>' placeholder="Current Password"><br />
<input class="password-field" type='password' name='newpw' placeholder="New Password"><br />
<input class="password-field" type='password' name='conpw' placeholder="Confrim Password">
<input class="button" type='submit' name='change' value='Change' />
</form>
您面临的最初问题是 $_SESSION['username'] 和 $newpass 的 SQL 字符串值在 SQL 字符串中没有正确地用单引号引起来.关于何时以及如何在 SQL 语句中引用的 运行-down,请查看 When to use single quotes, double quotes, backticks in MySQL.
总是在开发代码时打开错误报告。在脚本的顶部:
// Disable this when your code is live...
error_reporting(E_ALL);
ini_set('display_errors', 1);
所以使用您当前的代码,引用 字符串 而不是 列名称 将如下所示。
$oldpw = salt($currentpw);
// check whether username exists
$query = "SELECT password FROM users WHERE username= '" . $_SESSION['username'] . "' AND password='$oldpw'";
//----------------------------------no quotes^^^^^^^--single-quotes^^^^^^^^^^^^^^^^
// Also adds a check that $oldpass is correct!
$result = mysqli_query($db_server, $query);
if(!$result){
// This is ambiguous. It should probably show an error related to the query, not connection
$message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
// This should only be done if a row was returned previously
// Test with mysqli_num_rows()
if (mysqli_num_rows($result) > 0) {
$newpw = salt($newpw);
// Adds single quotes to the username here too...
$query = "UPDATE users SET password = '$newpw' WHERE username = '" . $_SESSION['username'] . "'";
mysqli_query($db_server, $query) or
die("Insert failed. " . mysqli_error($db_server));
$message = "<p class='message'>Your password has been changed!</p>";
// Process further here
mysqli_free_result($result);
}
else {
// Username or password was incorrect - do something about that
}
}
这可以进一步改进 using prepared statements. Your hashed password should be safe from SQL injection, but it is highly recommended to get into the habit of using prepared statements,因为它们对于字符串直接从用户输入派生的其他情况是必要的,以提供足够的保护以防止 SQL 注入。
看起来像:
// Prepare the select statement to check username and old password
$stmt = mysqli_prepare($db_server, "SELECT password FROM users WHERE username = ? AND passowrd = ?");
if ($stmt) {
// Bind parameters and execute it
$stmt->bind_param('ss', $_SESSION['username'], $oldpw);
$stmt->execute();
// num_rows works here too...
if ($stmt->num_rows > 0) {
// Ok to update...
// Prepare another statement for UPDATE
$stmt2 = mysqli_prepare($db_server, "UPDATE users SET password = ? WHERE username = ?");
if ($stmt2) {
// Bind and execute
$stmt2->bind_param('ss', $newpass, $_SESSION['username']);
$stmt->execute();
}
// Error updating
else echo mysqli_error($db_server);
}
}
// Error selecting
else echo mysqli_error($db_server);
我试图让我网站的登录用户能够更改他们的密码,然后该密码将在我的数据库中更新。当我单击提交按钮时,我在 'where clause' 中得到 'Unknown column '[用户名]'。我尝试了多种方法,但似乎无法正常工作。我是 PHP 的初学者,所以没有广泛的技能,所以我不确定问题出在哪里。如果有人可以帮助我,我将不胜感激,谢谢。
<?php
session_start();
require_once ("db_connect.php");
require_once($_SERVER['DOCUMENT_ROOT'] . '/functions/functions.php');
$oldpw = ($_POST['oldpw']);
$newpw = ($_POST['newpw']);
$conpw = ($_POST['conpw']);
$currentpw = $_SESSION['password'];
if ($_POST['change'] == 'Change') {
if ($oldpw && $newpw && $conpw) {
if ($newpw == $conpw) {
if ($db_server){
mysqli_select_db($db_server, $db_database);
$oldpw = salt($currentpw);
// check whether username exists
$query = "SELECT password FROM users WHERE 'username'= '" . $_SESSION['username'] . "'";
$result = mysqli_query($db_server, $query);
if(!$result){
$message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
$newpw = salt($newpw);
$query = "UPDATE users SET password = '$newpw' WHERE username = " . $_SESSION['username'] . "";
mysqli_query($db_server, $query) or
die("Insert failed. " . mysqli_error($db_server));
$message = "<p class='message'>Your password has been changed!</p>";
// Process further here
mysqli_free_result($result);
}
}else{
$message = " <p class='message'>Your current password is incorrect.</p>";
}
}else{
$message = "<p class='message'>Your new passwords do not match.</p>";
}
}else{
$message = "<p class='message'>Please fill in all fields.</p>";
}
}
?>
这是我用过的html:
<form action='change-password.php' method='post' id="register-form">
<?php echo $message; ?>
<input class="password-field" type='password' name='oldpw' value='<?php echo $username; ?>' placeholder="Current Password"><br />
<input class="password-field" type='password' name='newpw' placeholder="New Password"><br />
<input class="password-field" type='password' name='conpw' placeholder="Confrim Password">
<input class="button" type='submit' name='change' value='Change' />
</form>
您面临的最初问题是 $_SESSION['username'] 和 $newpass 的 SQL 字符串值在 SQL 字符串中没有正确地用单引号引起来.关于何时以及如何在 SQL 语句中引用的 运行-down,请查看 When to use single quotes, double quotes, backticks in MySQL.
总是在开发代码时打开错误报告。在脚本的顶部:
// Disable this when your code is live...
error_reporting(E_ALL);
ini_set('display_errors', 1);
所以使用您当前的代码,引用 字符串 而不是 列名称 将如下所示。
$oldpw = salt($currentpw);
// check whether username exists
$query = "SELECT password FROM users WHERE username= '" . $_SESSION['username'] . "' AND password='$oldpw'";
//----------------------------------no quotes^^^^^^^--single-quotes^^^^^^^^^^^^^^^^
// Also adds a check that $oldpass is correct!
$result = mysqli_query($db_server, $query);
if(!$result){
// This is ambiguous. It should probably show an error related to the query, not connection
$message = "<p class='message'>Error: Coud not connect to the database.</p>" ;
}else{
// This should only be done if a row was returned previously
// Test with mysqli_num_rows()
if (mysqli_num_rows($result) > 0) {
$newpw = salt($newpw);
// Adds single quotes to the username here too...
$query = "UPDATE users SET password = '$newpw' WHERE username = '" . $_SESSION['username'] . "'";
mysqli_query($db_server, $query) or
die("Insert failed. " . mysqli_error($db_server));
$message = "<p class='message'>Your password has been changed!</p>";
// Process further here
mysqli_free_result($result);
}
else {
// Username or password was incorrect - do something about that
}
}
这可以进一步改进 using prepared statements. Your hashed password should be safe from SQL injection, but it is highly recommended to get into the habit of using prepared statements,因为它们对于字符串直接从用户输入派生的其他情况是必要的,以提供足够的保护以防止 SQL 注入。
看起来像:
// Prepare the select statement to check username and old password
$stmt = mysqli_prepare($db_server, "SELECT password FROM users WHERE username = ? AND passowrd = ?");
if ($stmt) {
// Bind parameters and execute it
$stmt->bind_param('ss', $_SESSION['username'], $oldpw);
$stmt->execute();
// num_rows works here too...
if ($stmt->num_rows > 0) {
// Ok to update...
// Prepare another statement for UPDATE
$stmt2 = mysqli_prepare($db_server, "UPDATE users SET password = ? WHERE username = ?");
if ($stmt2) {
// Bind and execute
$stmt2->bind_param('ss', $newpass, $_SESSION['username']);
$stmt->execute();
}
// Error updating
else echo mysqli_error($db_server);
}
}
// Error selecting
else echo mysqli_error($db_server);