我有更改用户密码的php代码。但在我试过代码之后…提交新密码时…新密码在SQL数据库中泄露了……我希望它是md5码密码。你能帮我解决这个问题吗
if($_REQUEST['do'] == 'edit')
{
$title = 'change password';
$page = $_POST['page'];
$userId = safe($_POST['userId']);
$passwd = safe($_POST['password']);
$email = safe($_POST['Email']);
$passw2 = $_POST['password2'];
if(md5($passwd) == $_SESSION['user']['password'])
{
if(empty($passw2))
{
$pass = $_SESSION['user']['password'];
}
else
{
$pass = $passw2;
}
$query = $db->query("UPDATE users SET email = '".$email."' , password = '".$pass."' WHERE Id = '".$userId."' ");
if($query)
{
$msg = "password changed successfully";
}
Replace
$pass = $passw2;
$pass = hash('md5', $passw2);
$_SESSION['user']['password']被(假定)编码为MD5,但从用户表单获取的passw2是明文的。
你需要修改
$pass = $passw2;
$pass = md5($passw2);
在将密码提交给数据库之前将其编码为md5。并且使用新密码更改$_SESSION['user']['password'],否则用户只能在同一会话中更改一次密码。