使用会话更改一个用户的密码页面
Change password page for one user with session
我正在尝试为练习制作更新密码页面。我创建了一个旧密码字段、一个新密码字段和一个重复密码字段。
我自己创建了这个。如果你们能告诉我我的代码中的错误是什么导致我无法使页面正常工作,我会很高兴。知道在安全方面我可以做得更好也会很有趣。(我也有一个登录、注册、欢迎页面,一切正常)
问候
session.php:
<?php
include('connection.php');
session_start();
$user_check = $_SESSION['login_user'];
$ses_sql = mysqli_query($db,"select * from clients where email = '$user_check'");
$row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);
$_SESSION['email']=$row['email'];
$_SESSION['username']=$row['username'];
$_SESSION['firstname']=$row['firstname'];
$_SESSION['lastname']=$row['lastname'];
$_SESSION['birthdate']=$row['birthdate'];
$_SESSION['street']=$row['street'];
$_SESSION['streetnr']=$row['streetnr'];
$_SESSION['city']=$row['city'];
$_SESSION['plzz']=$row['plzz'];
if(!isset($_SESSION['login_user'])){
header("location:http://localhost:81/Left_over_youth_website/pages/login.php");
}
?>
Connection.php:
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'leftoveryouth');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
changepd:
<?php
include("../php/session.php");
?>
<html>
<head>
<title>Forgot Password</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7; IE=EDGE" />
<meta content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no, minimal-ui" name="viewport">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script type="text/javascript" src="../scripts/newpd.js"></script>
<link rel="stylesheet" href="../css/changepd.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
</head>
<body class="img">
<div class="placeholder">
<h1 class="logo"><a href="/index.html"class="alogo">Leftover Youth</a></h1>
<img class="logoo" src="../img/logoo.png" alt="firstimage">
<form class="form">
<hr class="verticalline">
<input class="oldpd" id="oldpd" value="Old Password"
onblur="this.value'Old Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}">
<input class="newpd shine" id="newpd" value="New Password"
onblur="this.value'New Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='New Password'){this.value=''; this.type='password'}">
<input class="repeatpd shine" id="repeatpd" value="Repeat Password"
onblur="this.value'Repeat Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='Repeat Password'){this.value=''; this.type='password'}">
<p hidden style="color:red;" id="pdontmatch">☒ Password doesn't match</p>
<p hidden style="color:lightgreen;" id="pmatch">☑ Password matches</p>
<?php
if($_SERVER["REQUEST_METHOD"] == "POST") {
$myoldpassword = sha1($_POST['oldpd']);
$newpassword = sha1($_POST['newpd']);
$repeatpassword = sha1($_POST['repeatpd']);
$sql = "SELECT password FROM clients WHERE password = '$myoldpassword'";
$result = mysqli_query($db,$sql);
if($result){
if($newpassword===repeatpassword){
$_SESSION["password"] = $newpassword;
$update = "UPDATE CLIENTS SET password = mynewpassword";
header("location:http://localhost:81/Left_over_youth_website/php/logout.php");
}
else{
echo('<p>password not updated</p>');
}
}
}
?>
<input id="button" type="button" value="Submit" onclick="ausgabe(); marginn();">
<script>
function marginn(){
document.getElementById('button').style.marginTop = "5px";
}
</script>
</form>
</div>
</body>
</html>
如果您需要进一步的说明或代码,请告诉我。
-编辑-
cause i somehow cant make the page work.
您编辑了问题并添加了该行。我以为你只是在寻找有关安全的建议。究竟是什么不起作用?
每次将变量嵌入到 SQL 注入攻击中
你的查询。 where email = '$user_check'")。
您应该改用参数化查询。 http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
https://phpdelusions.net/pdo
不要使用 SHA1 进行密码散列 - 它不安全。
Secure hash and salt for PHP passwords.
不要在会话中存储非常敏感的数据(如密码)。
$_SESSION["password"] = $newpassword; 即使会话
驻留在服务器上,数据通常存储在文件中,可以是
被其他用户访问,尤其是在共享主机中使用时
环境。
email是主键吗?否则,您的查询将 return 多个
行,然后您将访问 PHP.
中的随机行
mysqli_query($db,"select * from clients where email = '$user_check'");
确保$row存在并且在使用前不为空。什么
如果您输入 non-existent 电子邮件地址会怎样?
通过使用 JS 检查该值是否为默认值,您增加了不必要的复杂性。
onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}"
相反,只需使用占位符属性。
https://html.com/attributes/input-placeholder/
我正在尝试为练习制作更新密码页面。我创建了一个旧密码字段、一个新密码字段和一个重复密码字段。 我自己创建了这个。如果你们能告诉我我的代码中的错误是什么导致我无法使页面正常工作,我会很高兴。知道在安全方面我可以做得更好也会很有趣。(我也有一个登录、注册、欢迎页面,一切正常) 问候 session.php:
<?php
include('connection.php');
session_start();
$user_check = $_SESSION['login_user'];
$ses_sql = mysqli_query($db,"select * from clients where email = '$user_check'");
$row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);
$_SESSION['email']=$row['email'];
$_SESSION['username']=$row['username'];
$_SESSION['firstname']=$row['firstname'];
$_SESSION['lastname']=$row['lastname'];
$_SESSION['birthdate']=$row['birthdate'];
$_SESSION['street']=$row['street'];
$_SESSION['streetnr']=$row['streetnr'];
$_SESSION['city']=$row['city'];
$_SESSION['plzz']=$row['plzz'];
if(!isset($_SESSION['login_user'])){
header("location:http://localhost:81/Left_over_youth_website/pages/login.php");
}
?> Connection.php:
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_DATABASE', 'leftoveryouth');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
changepd:
<?php
include("../php/session.php");
?>
<html>
<head>
<title>Forgot Password</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7; IE=EDGE" />
<meta content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no, minimal-ui" name="viewport">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script type="text/javascript" src="../scripts/newpd.js"></script>
<link rel="stylesheet" href="../css/changepd.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
</head>
<body class="img">
<div class="placeholder">
<h1 class="logo"><a href="/index.html"class="alogo">Leftover Youth</a></h1>
<img class="logoo" src="../img/logoo.png" alt="firstimage">
<form class="form">
<hr class="verticalline">
<input class="oldpd" id="oldpd" value="Old Password"
onblur="this.value'Old Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}">
<input class="newpd shine" id="newpd" value="New Password"
onblur="this.value'New Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='New Password'){this.value=''; this.type='password'}">
<input class="repeatpd shine" id="repeatpd" value="Repeat Password"
onblur="this.value'Repeat Password':this.value;"
onfocus="this.select()"
onclick="if (this.value=='Repeat Password'){this.value=''; this.type='password'}">
<p hidden style="color:red;" id="pdontmatch">☒ Password doesn't match</p>
<p hidden style="color:lightgreen;" id="pmatch">☑ Password matches</p>
<?php
if($_SERVER["REQUEST_METHOD"] == "POST") {
$myoldpassword = sha1($_POST['oldpd']);
$newpassword = sha1($_POST['newpd']);
$repeatpassword = sha1($_POST['repeatpd']);
$sql = "SELECT password FROM clients WHERE password = '$myoldpassword'";
$result = mysqli_query($db,$sql);
if($result){
if($newpassword===repeatpassword){
$_SESSION["password"] = $newpassword;
$update = "UPDATE CLIENTS SET password = mynewpassword";
header("location:http://localhost:81/Left_over_youth_website/php/logout.php");
}
else{
echo('<p>password not updated</p>');
}
}
}
?>
<input id="button" type="button" value="Submit" onclick="ausgabe(); marginn();">
<script>
function marginn(){
document.getElementById('button').style.marginTop = "5px";
}
</script>
</form>
</div>
</body>
</html>
如果您需要进一步的说明或代码,请告诉我。
-编辑-
cause i somehow cant make the page work.
您编辑了问题并添加了该行。我以为你只是在寻找有关安全的建议。究竟是什么不起作用?
每次将变量嵌入到 SQL 注入攻击中 你的查询。
where email = '$user_check'")。 您应该改用参数化查询。 http://php.net/manual/en/mysqli.quickstart.prepared-statements.php https://phpdelusions.net/pdo不要使用 SHA1 进行密码散列 - 它不安全。 Secure hash and salt for PHP passwords.
不要在会话中存储非常敏感的数据(如密码)。
$_SESSION["password"] = $newpassword;即使会话 驻留在服务器上,数据通常存储在文件中,可以是 被其他用户访问,尤其是在共享主机中使用时 环境。email是主键吗?否则,您的查询将 return 多个 行,然后您将访问 PHP.
中的随机行mysqli_query($db,"select * from clients where email = '$user_check'");确保
$row存在并且在使用前不为空。什么 如果您输入 non-existent 电子邮件地址会怎样?通过使用 JS 检查该值是否为默认值,您增加了不必要的复杂性。
onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}"相反,只需使用占位符属性。 https://html.com/attributes/input-placeholder/