-3

可能重复:
从我的站点获取 MYSQL 错误

我主持了一个bux 网站CrimsonBux.Com。一切都与脚本一起工作得很好。我对密码恢复页面http://crimsonbux.com/login.php?option=forgot只有一个问题。在页面上输入电子邮件地址和验证码后,用户将被重定向到此页面http://crimsonbux.com/recover.php。在recover.php 页面中,用户面临错误。下面列出了错误。

Warning: mysql_query() [function.mysql-query]: Access denied for user 'crimst1d'@'localhost' (using password: NO) in /home/crimst1d/public_html/recover.php on line 19

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/crimst1d/public_html/recover.php on line 19

在这里,我的站点无法连接到 MySQL 数据库。如何连接?

这是我对recover.php 页面的配置。

<?
/**********************************************************************************************************************************************
    ScriptBux Version 2.50 beta
    This Script has been created and coded by Gabrola and edited by hassan ahmady.
    If you find any bugs in the script report at support@thealternatif.info or contact hassan ahmady.
    Copywrite ScriptBux 2008;
    Please make donations if you use this sript for commercial use
    to My paypal account "bisnis-usd@plasa.com"
************************************************************************************************************************************************/

?>

<h3>Forgot Password</h3>
<?php
if($_POST)
{
  $code = $_POST["code"];
  $email = $_POST["email"];
  $emailx = mysql_query("SELECT COUNT(*) AS cnt FROM tb_users WHERE email='{$_POST['email']}'");
  $emailx = mysql_fetch_array($emailx);
  $emailx = $emailx["cnt"];
  $errormsg = false;
  if($_SESSION['string'] != $code)
  {
    $error = 1;
    $errormsg .= "<b>Error -</b> The captcha was entered incorrectly.<br />";
  }
  if(!$code)
  {
    $error = 1;
    $errormsg .= "<b>Error -</b> The captcha was entered incorrectly.<br />";
  }
  if(!$email)
  {
    $error = 1;
    $errormsg .= "<b>Error -</b> The email was not supplied.<br />";
  }
  if(!$emailx)
  {
    $error = 1;
    $errormsg .= "<b>Error -</b> No account was found with that email address.<br />";
  }
  if($_SESSION['next_reseptsend'] != 0)
  {
    $error = 1;
    $errormsg .= "<b>Error -</b> You have already made a password retrieval within the last 15 minutes.<br />";
  }
  $_SESSION['string'] = false;
  if($error)
  {
    print $errormsg."<br><br>";
  } else {
    $s = mysql_query("SELECT * FROM tb_users WHERE email='{$_POST['email']}'");
    $x = mysql_fetch_array($s);
    $_SESSION['next_reseptsend'] = 1;
    $message = "Hello {$x['username']},
    You requested to resend your account password a while ago.

    Account Username: {$x['username']}
    Account Password: {$x['password']}

    We hope you can have a good time earning your money again,

    Thanks,
    {$config['site_name']}";
    mail($x["email"],"Password Retrieval - ".$config["site_name"],$message,"From: mail@".$_SERVER['HTTP_HOST']);
    print "<b>Password Sent!</b><br />
    We have dispatched your password to your email address.<br />
    You can only make another account retrieval again in 15 minutes.<br />";
  }
}
?>

<div style="padding-left:25px;">
<form action="recover.php" method="post" name="resend">
<table>
<tr><td class="midtext">Your Email:</td><td><input type="text" name="email" size="25" class="form" autocomplete="off" value="<?=$_POST['email']?>"></td></tr>
<tr><td class="midtext" valign="top">Security Code:</td><td class="midtext"><img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();"><br /><span style="font-size:10px;">(Click to reload)</span><br /><input type="text" name="code" size="17" maxlength="" autocomplete="off" class="form"></td></tr>
<tr><td></td><td align="right"><input type="submit" value="Login" name="loginsubmit"  class="inputbox"></td></tr>
</table>
</form>
</div>

<?php

?>
4

2 回答 2

1

您需要将用户添加到数据库以及脚本可以通过mysql_connect和连接到的数据库mysql_select_db

放在脚本的顶部:

mysql_connect('localhost', 'username', 'password');
mysql_select_db('database name');
于 2012-05-26T11:44:17.203 回答
0

以下是解决安全漏洞的方法。改变这个:

$emailx = mysql_query("SELECT COUNT(*) AS cnt FROM tb_users WHERE email='{$_POST['email']}'");

对此:

$emailUntainted = mysql_real_escape_string($_POST['email']);
$emailx = mysql_query("
    SELECT COUNT(*) AS cnt
    FROM tb_users
    WHERE email='{$emailUntainted}'
");

你有两个要修复;也做一些阅读,以了解为什么这是必要的:)

发布脚本:正如@Esailija 所说,最好使用 PDO 和准备好的语句,但这需要您进行更多的学习。快速进行此修复,然后尽可能切换到 PDO。

于 2012-05-26T11:57:48.340 回答