我写这个脚本已经有一段时间了,但我做不好。。。。
我知道它正在连接,因为我可以在MySQL工作台中查看我的连接。这让我觉得我的UPDATE有问题。不管怎样,你们能看看它,告诉我你们的想法吗?
<?php
//Connecting to the MySQL Database thing
mysql_connect("localhost:3306", "****", "*******") or die(mysql_error());
mysql_select_db("microcrith") or die(mysql_error());
//runs the code if submitted
if (isset($_POST['submit'])) {
//makes sure there is no blank stuff
if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {
die('You did not complete all of the required fields');
}
//checking password to see if they match
if ($_POST['pass'] != $_POST['pass2']) {
die('Your passwords did not match. ');
}
//md5 encryption
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = addslashes($_POST['pass']);
$_POST['username'] = addslashes($_POST['username']);
}
$newpassword = $_POST['pass'];
$username = $_SESSION['username'];
//puts into database
$insert = mysql_query("UPDATE users SET password='$newpassword' WHERE username='$username'") or die(mysql_error());
$update_member = mysql_query($insert);
?>
<h1>Registered</h1>
<p>Thank you, you have changed password - you may now <a href="login.php">login</a>. </p>
<?php
}
else
{
?>
<center>
<body style="background-image: url('http://microcrith.com/background.png'); background-repeat: no-repeat; background-cover: 0 0; background-size: cover;">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table border="0">
<tr><td colspan=2 style="color:grey;"><h1>Profile</h1></td></tr>
<tr><td style="color:grey;">Username:</td><td>
<input type="text" name="username" maxlength="60">
</td></tr>
<tr><td style="color:grey;">Password:</td><td>
<input type="password" name="pass" maxlength="10">
</td></tr> <tr><td style="color:grey;">Confirm Password:
</td><td>
<input type="password" name="pass2" maxlength="10">
</td></tr>
<tr><th colspan=2><input type="submit" name="submit" value="Submit">
</th></tr>
</table>
</form>
</body>
</center>
<?php
}
?>
谢谢你花时间看这个。
更新:既然每个人都说这太不安全了,我就删除我的网站,重新开始。
我不确定这是否是问题所在,但试试这个:
$insert = mysql_query("UPDATE users SET password='".$password."' WHERE username='".$username."'") or die(mysql_error());
此外,更倾向于将准备好的语句与php数据对象一起使用,而不是使用mysql_*函数