php - MySQL 数据库未更新

Question

（请忽略 md5 不是最安全的事实，mysql_* 功能已过时等 - 这不会在任何网站上上线！）

所以，我目前有一个系统，用户可以在其中进入恢复密码页面并输入他们的电子邮件。它会向他们发送一封电子邮件，其中包含恢复密码的链接。这个链接如下：

http://www.example.com/recover_password.php?username=（这里的用户名）&recover_password=（这里的代码）。

该代码是在注册时随机生成的，并且可以很好地存储在数据库中。但是，我在尝试让他们从上面的链接中更改它时遇到问题。这是recover_password.php 页面：

<?php
include 'core/init.php';

$username = (isset($_GET['username']));
$password_recovery = (isset($_GET['password_recovery']));

if (isset($_GET['success']) && empty($_GET['success'])) {
    echo 'Your password has been changed. You may now proceed to log in.';
    die();
} else {

if (password_recovery_exists($password_recovery) === true && (user_exists($username) === true)) {
    if (empty($_POST) === false) {
        $required_fields = array('password', 'password_again');
        foreach($_POST as $key=>$value) {
            if (empty($value) && in_array($key, $required_fields) === true) {
                $errors[] = 'You missed a field!';
                break 1;
            }
        }
            if (trim($_POST['password']) !== trim($_POST['password_again'])) {
                $errors[] = 'Your new passwords do not match';
            } else if (strlen($_POST['password']) < 6) {
                $errors[] = 'Your password must be at least 6 characters long.';
            }
        }
        if (empty($_POST) === false && empty($errors) === true) {
            password_recovery($username, $_POST['password']);
            header('Location: recover_password.php?success');
        }   else {
                echo output_errors($errors);
        }
    }
?>
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>Liste - Login</title>
<link rel="stylesheet" type="text/css" href="css/style.css">
</head>
<body>
<form action="" method="post">          
        <label for="password"><b><center>New Password:</label><br >
        <input type="password" name="password" size="30"><br />

        <label for="password_again"><b><center>Re-enter New Password:</label><br >
        <input type="password" name="password_again" size="30"><br />

        <input type="submit" value="Change Password"><br /><br />
</form>
</center>
</body>
</html>

<?php
}
?>

首先，最大的问题是当他们点击“更改密码”时没有显示错误信息，但是密码没有在数据库中更新，导致我认为密码恢复功能有问题：

function password_recovery($username, $password) {
    $username = sanitize($username);
    $password = md5($password);

    mysql_query("UPDATE `users` SET `password` = '$password' WHERE `username` = '$username'");

我不确定该函数是否存在问题，或者变量是否实际被发送或什么，因此将不胜感激:)

我还想知道检查“用户名”和“密码恢复”（来自链接）是否来自数据库中的同一行的语法是什么？

我知道这段代码是一团糟，过时等，但非常感谢您的帮助:)

多谢你们！

score 0 · Accepted Answer

这应该有效：

<?php
include 'core/init.php';

function password_recovery($username, $password) {
    $username = mysql_real_escape_string(sanitize($username));
    $password = md5($password);

    mysql_query("UPDATE `users` SET `password` = '" . $password . "' WHERE `username` = '" . $username . "'");
}

$username = (isset($_SESSION['username']) ? $_SESSION['username'] : false);
$password_recovery = (isset($_POST['password_recovery']) ? $_POST['password_recovery'] : false);

if (isset($_GET['success']) && empty($_GET['success'])) {
    echo 'Your password has been changed. You may now proceed to log in.';
    die();
} else {

    if (password_recovery_exists($password_recovery) === true && (user_exists($username) === true)) {
        if (empty($_POST) === false) {
            $required_fields = array('password', 'password_again');
            foreach ($_POST as $key => $value) {
                if (empty($value) && in_array($key, $required_fields) === true) {
                    $errors[] = 'You missed a field!';
                    break 1;
                }
            }
            if (trim($_POST['password']) !== trim($_POST['password_again'])) {
                $errors[] = 'Your new passwords do not match';
            } else if (strlen($_POST['password']) < 6) {
                $errors[] = 'Your password must be at least 6 characters long.';
            }
        }
        if (empty($_POST) === false && empty($errors) === true) {
            password_recovery($username, $_POST['password']);
            header('Location: recover_password.php?success');
        } else {
            echo output_errors($errors);
        }
    } else {
        die("User not found");
    }
}
?>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html;charset=utf-8">
        <title>Liste - Login</title>
        <link rel="stylesheet" type="text/css" href="css/style.css">
    </head>
    <body>
        <form action="" method="post">          
            <label for="password"><b><center>New Password:</label><br >
                        <input type="password" name="password" size="30"><br />

                        <label for="password_again"><b><center>Re-enter New Password:</label><br >
                                    <input type="password" name="password_again" size="30"><br />

                                    <input type="submit" value="Change Password"><br /><br />
                                    </form>
                                </center>
                                </body>
                                </html>

score -1 · Accepted Answer

尝试这样的事情：

mysql_query("UPDATE `users` SET `password` = '".$password."' WHERE `username` = '".$username."'");

php - MySQL 数据库未更新

2 回答 2

Related

Reference