我把下面的代码放在一起。但是由于某些原因,它拒绝更新数据库,并且无论输入什么,它都一直回显$error "Your current password is incorrect"。
下面是changepassword.php的主要代码
<?php
include 'core/init.php'; //connection to database and checks user sessions
protect_page(); //useres not loged in cannot access this page
if (empty($_POST) === false) {
$required_fields = array('current_password', 'password', 'password_again');
foreach($_POST as $key=>$value) {
if (empty($value) && in_array($key, $required_fields) === true) {
$errors[] = 'All fields marked with an * are required.'; //check that all fields are completed
break 1;
}
}
if (md5($_POST['current_password']) === $user_data['password']) { //if equal to current password
if (trim($_POST['password']) !== trim($_POST['password_again'])) {
$errors[] = 'Your new passwords do not match';
} else if (strlen($_POST['password']) < 6) {
$errors[] = 'Your password must be at least 6 characters';
}
} else {
$errors[] = 'Your current password is incorrect'; //else append error
}
}
include 'includes/overall/header.php';
?>
<h1>Change Password</h1>
<p>Change your account password here.</p>
<?php
if (isset($_GET['success']) && empty($_GET['success'])) {
echo 'Your password has been changed';
} else {
if (empty($_POST) === false && empty($errors) === true) {
change_password($session_user_id, $_POST['password']);
header('Location: changepassword.php?success');
} else if (empty($errors) === false) {
echo output_errors($errors);
}
?>
<form action="" method="post">
<ul>
<li>
Current Password*:<br>
<input type="password" name"current_password">
</li>
<li>
New Password*:<br>
<input type="password" name"password">
</li>
<li>
New Password Again*:<br>
<input type="password" name"password_again">
</li>
<li>
<input type="submit" name="Change Password" />
</li>
</ul>
</form>
<?php
}
include 'includes/overall/footer.php'; ?>
下面是changepassword函数
//change password function
function change_password($membersID, $password) {
$membersID = (int)$membersID;
$password = md5($password);
//update password in database
mysql_query("UPDATE`members` SET`password` = '$password' WHERE`membersID` = $membersID");
}
user_data在这里声明
//user data variable to pass in sessionID and thus pass in their other details
if (logged_in() === true) {
$session_user_id = $_SESSION['membersID']; //picking up the particular user
$user_data = user_data($session_user_id, 'membersID', 'username','password', 'forename', 'surename', 'email', 'age'); //picks up the fields declared here - MAKE SURE TO PASS ALL paramameters you need to output.
if (user_active($user_data['username']) === false) {
session_destroy();
header('Location: index.php');
exit();
}
}
对不起,我的第一个答案是错误的,但是关于MD5的警告仍然有效:
请记住,你的密码模式是非常不安全的,有一些重要的地方你应该改进。
- 哈希函数MD5不适合对密码进行哈希,因为它的速度太快了,不如使用慢速的密钥派生函数BCrypt。我想邀请你,在我的
- 只有在没有的情况下才可以直接比较密码哈希使用了盐。无盐MD5散列并不比存储安全多少明文密码。用少于7个字符的密码破解你的整个数据库只需要几秒钟。
- mysql*函数已弃用,建议使用
PDO
或mysqli
代替。请记住,通常您必须在SQL语句(准备语句或mysqli_real_escape_string()
)中转义字符串值。你的例子是安全的,因为MD5的输出总是安全的。
查询缺少引号。
function change_password($membersID, $password) {
$membersID = (int)$membersID;
$password = mysql_real_escape_string(md5($password));
//update password in database
mysql_query("UPDATE members SET password = '$password' WHERE membersID = '$membersID';");
if (mysql_affected_rows > 0) {
return true;
} else {
return false;
}
}
if (empty($_POST) === false && empty($errors) === true) {
if(change_password($session_user_id, $_POST['password'])) {
// Redirect if change_password returns true
header('Location: changepassword.php?success');
} else {
// Give some error message
}
} else if (empty($errors) === false) {
echo output_errors($errors);
}
尝试这些更改,如果change_password函数返回false,我不知道你想用什么方式处理错误