此代码不会更改已登录用户的密码,而是更改为 0,然后不允许我重新登录。我知道 md5 不是最安全的,因为这不会只是项目的活动站点。但是,我愿意接受有关替代方案的建议。我在数据库中有两个字段,称为密码和密码2,一旦他们更改密码,就需要更改这两个字段。此外,错误消息不会显示。
<?php
session_start();
if (!isset($_SESSION["user_login"])) {
header("Location: sign_up.php");
} else {
$username = $_SESSION["user_login"];
}
include ("connect.php");
?>
<?php
//Variables
if(isset($_POST['change_pass_submit'])){
$oldpassword = $_POST['oldpassword'];
$newpassword1 = $_POST['newpassword1'];
$newpassword2 = $_POST['newpassword2'];
$pass_query = mysqli_query ($connect, "SELECT * FROM users WHERE email='$username'");
while ($row = mysqli_fetch_assoc($pass_query)) {
$existing_pass = $row ['password'];
//Checking if md5 encrypted password matches
$md5_oldpassword = md5($oldpassword);
//check if the old password and the old password entered now match
if ($md5_oldpassword == $existing_pass){
//check if the two new passwords match
if ($newpassword1 == $newpassword2) {
$md5_newpassword = md5($newpassword1);
$md5_newpassword2 = md5($newpassword2);
//Query to update the password
$password_update_query = mysqli_query($connect, "UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'");
echo "Your password has now changed!";
}
else{
echo "Your new password and re entered password does not match. Please try again.";
}
}
else {
echo "Your old password does not match. Please try again.";
}
}
}
?>
<div class="container">
<h3> Change your Password: </h3>
<form action="" method="POST" enctype="multipart/form-data">
<div class="form-group">
<label for="oldpassword">Old Password:</label>
<input type="oldpassword" class="form-control" name="oldpassword" placeholder="Enter old password" >
</div>
<div class="form-group">
<label for="newpassword1">New Password:</label>
<input type="newpassword1" class="form-control" name="newpassword1" placeholder="Enter new password" >
</div>
<div class="form-group">
<label for="newpassword2">New Password:</label>
<input type="newpassword2" class="form-control" name="newpassword2" placeholder="Re-Enter new password" >
</div>
<center>
<button type="submit" class="btn btn-primary" name="change_pass_submit" style=" background-color:#337AB7; color:white;">Change Password</button>
</center>
</form>
</div>
查询中出现错误:
"UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'"
它应该是:
"UPDATE users SET password='$md5_newpassword', password2='$md5_newpassword2' WHERE email='$username'"
但是,查询中的错误在这里不是大问题。最大的问题是你的代码非常不安全:
- 它容易受到SQL注入的影响:任何
有恶意的人都可以对你的数据库做任何他们喜欢的事情。你应该开始使用预准备语句(看看 PHP 中的 PDO)。 - 您的密码未正确散列!
使用 PHP 的内置函数:password_hash
和password_verify
而不是md5
(md5
哈希算法很旧。已经确定了它的几个问题。对于密码哈希,问题是它被设计为快速。快速意味着容易破解。快速意味着专用硬件每秒可以进行 3500 亿次猜测)。