2

我有一个页面标题 changepassword.php ... 在这个页面中,用户可以更改他们的帐户密码。查询通过并给出它发送的消息,但是,数据库没有改变。密码和以前一样。我正在使用我不习惯的 sha1 哈希(第一次使用它)。有谁知道它发生了什么?谢谢!

    <?php

    session_start ();

    $user_name = $_SESSION['user_name'];

    if($user_name)
    {
    //user is logged in

    if(isset($_POST['submit']))
    {
    //check fields

    $oldpassword = $_POST['oldpassword'];
    $newpassword = $_POST['newpassword'];
    $repeatnewpassword = $_POST['repeatnewpassword'];

    //check password against db

    $connect=mysql_connect("localhost","root","passssssssword") or die();
    mysql_select_db("database") or die();

    $queryget= mysql_query ("SELECT user_pass FROM users WHERE user_name='$user_name'")         or die("Query didn't work.");
    $row = mysql_fetch_assoc ($queryget);

    $oldpassworddb = $row['user_pass'];

    //check passwords

if (sha1($oldpassword)==$oldpassworddb)
{
    if ($newpassword==$repeatnewpassword)
    {
        if (strlen ($newpassword)>25 || strlen ($newpassword)<6)
        {
        echo "Password must be between 6 and 25 characters";
        }
        else
        {
        //change password in db 

        $newpassword = sha1($newpassword);

        $querychange = mysql_query("UPDATE users SET         password='$newpassword' WHERE user_name='$user_name'");
        session_destroy();
        die ("Your password has been changed. <a         href='index.php'>Return</a> to the main page and login with your new password.");
        }

    }
    else
        die ("New passwords do not match!");

}
else
    die ("Old password is inncorrect!");

    }

    else
    {
    echo
    "<form action = 'changepassword.php' method = 'POST'>
    <table>
    <tr>
        <td>
    Old password: 
        </td>
        <td>
    <input type='text' name='oldpassword'><p>
        </td>
    </tr>
    <tr>
        <td>
    New password: 
        </td>
        <td>
    <input type='password' name='newpassword'>
        </td>
    </tr>
    <tr>
        <td>
    Repeat new password: 
        </td>
        <td>
    <input type='password' name='repeatnewpassword'>
        </td>
    </tr>
    <table>
    <input type='submit' name='submit' value='Change password'>
    </form>
    ";
    }


    }
    else
die("You must be logged in to change your password!");
    ?>
4

2 回答 2

5

查询_1:

SELECT user_pass FROM users WHERE user_name='$user_name'

您的查询_2:

UPDATE users SET **password**='$newpassword' WHERE user_name='$user_name'

但是,Query_2 应该是:

UPDATE users SET **user_pass**='$newpassword' WHERE user_name='$user_name'
于 2012-06-03T05:15:59.550 回答
1

不确定文字/单引号是否允许 PHP 插入变量。我通常也使用 sprintf。此外,通常您不想只检查用户名,而是用户名和旧密码。

"SELECT user_pass FROM users WHERE user_name='$user_name'"

应该是: $sql = sprintf("select user_pass from users where user_name = "%s",$user_name);

另外,如果你输出mysql_error(),你的“die()”会更好,即

  $connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die("cannot connect".mysql_error());

但是,可能最快的故障排除方法是在 mysql_query 上输入错误:

$sql = sprintf("UPDATE users SET  password="%s" WHERE user_name="%s"",$newpassword,$user_name);
$querychange = mysql_error($sql) or die ("Error updating: ".mysql_error());
于 2012-06-03T05:19:42.123 回答