仅当更改密码时,才在数据库中编辑用户更改密码。我在这里缺少什么?

Edit user in DB change password only if password is changed. What I am missing here?

我正在使用 PHP 8.x 和一个管理控制面板,我想要实现的是如果我想编辑 user1 并且“密码”和“确认密码”字段为空“密码" 不应更改数据库中的行。

波纹管是我当前使用的 PHP 代码,但如果“密码”和“确认密码”字段为空行,数据库中的“密码”将更改为“0”空,用户将是能够在登录表单上使用 EMPTY 密码登录。

代码在这里:

if (isset($_POST['submit']))
{
    extract($_POST);
    if ($username == '')
    {
        $error[] = 'Please enter the username.';
    }
    if (strlen($password) > 0)
    {
        if ($password == '')
        {
            $error[] = 'Please enter the password.';
        }
        if (strlen($password) < 6)
        {
            $error[] = 'Please use a password that is at least 6 characters long';
        }
        if ($passwordConfirm == '')
        {
            $error[] = 'Please confirm the password.';
        }
        if ($password != $passwordConfirm)
        {
            $error[] = 'Passwords do not match.';
        }
    }
    if ($email == '')
    {
        $error[] = 'Please enter the email address.';
    }
    if ($role == '')
    {
        $error[] = 'Please confirm the roles.';
    }
    if (!isset($error))
    {
        try
        {
            if (isset($password))
            {
                $hashedpassword = $user->password_hash($password, PASSWORD_BCRYPT);
                //update into database
                if ($role == 'admin' || $role == 'manager') $private = 'yes';
                if ($role == 'user') $private = 'No';
                $stmt = $db->prepare('UPDATE web_users SET username = :username, password = :password, email = :email, role = :role, private = :private WHERE memberID = :memberID');
                $stmt->execute(array(
                    ':username' => $username,
                    ':password' => $hashedpassword,
                    ':email' => $email,
                    ':role' => $role,
                    ':private' => $private,
                    ':memberID' => $memberID
                ));
            }
            else
            {
                //update database
                if ($role == 'admin' || $role == 'manager') $private = 'yes';
                if ($role == 'user') $private = 'No';
                $stmt = $db->prepare('UPDATE web_users SET username = :username, email = :email, role = :role, private = :private WHERE memberID = :memberID');
                $stmt->execute(array(
                    ':username' => $username,
                    ':email' => $email,
                    ':role' => $role,
                    ':private' => $private,
                    ':memberID' => $memberID
                ));
            }
            //redirect to index page
            header('Location: users.php?action=updated');
            exit;
        }
        catch(PDOException $e)
        {
            echo $e->getMessage();
        }
    }
}
?>

这个逻辑是有缺陷的。您首先检查是否 strlen($password) > 0,如果为真,则检查是否 $password == '',如果为真,则仅记录密码输入为空的错误。

if (strlen($password) > 0)
{
    if ($password == '')
    {
        $error[] = 'Please enter the password.';
    }
    if (strlen($password) < 6)
    {
        $error[] = 'Please use a password that is at least 6 characters long';
    }
    if ($passwordConfirm == '')
    {
        $error[] = 'Please confirm the password.';
    }
    if ($password != $passwordConfirm)
    {
        $error[] = 'Passwords do not match.';
    }
}

$password == '' 永远不会为真,因为要使它为真,它的长度必须大于 0。换句话说,如果我是用户并将密码条目留空,if (strlen($password) > 0) 将导致错误,因为空密码条目的长度为 0,因此永远不会正确记录密码为空。

而不是做

if(isset($password)){
 
    /// logic 

}

这样做:

if(!empty($password)){
     
    /// logic

}