1

我已经整理了以下代码。但由于某种原因,它拒绝更新数据库,并且无论输入什么,它都会不断回显 $error“您当前的密码不正确”。

下面是主要的changepassword.php

    <?php 
include 'core/init.php';  //connection to database and checks user sessions
protect_page(); //useres not loged in cannot access this page

if (empty($_POST) === false) {
    $required_fields = array('current_password', 'password', 'password_again');
    foreach($_POST as $key=>$value) {
        if (empty($value) && in_array($key, $required_fields) === true) {
            $errors[] = 'All fields marked with an * are required.'; //check that all fields are completed
            break 1;
        }
    }

    if (md5($_POST['current_password']) === $user_data['password']) { //if equal to current password
        if (trim($_POST['password']) !== trim($_POST['password_again'])) {
            $errors[] = 'Your new passwords do not match';
        } else if (strlen($_POST['password']) < 6) {
            $errors[] = 'Your password must be at least 6 characters';
        }
    } else {
        $errors[] = 'Your current password is incorrect';   //else append error
    }
}

include 'includes/overall/header.php'; 
?>

<h1>Change Password</h1>
<p>Change your account password here.</p>

<?php
if (isset($_GET['success']) && empty($_GET['success'])) {
    echo 'Your password has been changed';
} else {

    if (empty($_POST) === false && empty($errors) === true) {
        change_password($session_user_id, $_POST['password']);
        header('Location: changepassword.php?success');
    } else if (empty($errors) === false) {
        echo output_errors($errors);
    }
    ?>

    <form action="" method="post">

        <ul>
        <li>
            Current Password*:<br>
            <input type="password" name"current_password">
        </li>
        <li>
            New Password*:<br>
            <input type="password" name"password">

        </li>
        <li>
            New Password Again*:<br>
            <input type="password" name"password_again">
        </li>
        <li>
            <input type="submit" name="Change Password" />
        </li>
        </ul>

    </form>

<?php 
}
include 'includes/overall/footer.php'; ?>

这是更改密码功能

//change password function
function change_password($membersID, $password) {
    $membersID = (int)$membersID;
    $password = md5($password);
    //update password in database
    mysql_query("UPDATE`members` SET`password` = '$password' WHERE`membersID` = $membersID");   
}

user_data 在此处声明

//user data variable to pass in sessionID and thus pass in their other details
if (logged_in() === true) {
    $session_user_id = $_SESSION['membersID']; //picking up the particular user
    $user_data = user_data($session_user_id, 'membersID', 'username','password', 'forename', 'surename', 'email', 'age'); //picks up the fields declared here - MAKE SURE TO PASS ALL paramameters you need to output.
    if (user_active($user_data['username']) === false) {
        session_destroy();
        header('Location: index.php');
        exit();
    }

}
4

2 回答 2

1

抱歉,我的第一个答案不正确,但关于 MD5 的警告仍然有效:

请记住,您的密码架构非常不安全,您应该改进一些重要的点。

  • 散列函数 MD5 不适合散列密码,因为它太快了,而是使用像 BCrypt 这样的慢速密钥派生函数。我会邀请您在我的有关安全密码存储的教程中阅读有关此主题的更多信息 。
  • 只有在不使用盐的情况下,才能像您一样直接比较密码哈希。未加盐的 MD5 哈希并不比存储密码明文更安全。使用少于 7 个字符的密码破解整个数据库只需几秒钟。
  • mysql* 函数已弃用,建议使用PDOormysqli代替。请记住,通常您必须在 SQL 语句(准备好的语句或mysqli_real_escape_string())中转义字符串值。不过,您的示例将是安全的,因为 MD5 的输出始终是安全的。
于 2013-03-28T07:54:08.853 回答
0

查询缺少引号。

function change_password($membersID, $password) {
    $membersID = (int)$membersID;
    $password = mysql_real_escape_string(md5($password));
    //update password in database
    mysql_query("UPDATE members SET password = '$password' WHERE membersID = '$membersID';");   
    if (mysql_affected_rows > 0) {
        return true;
    } else {
        return false;
    }
}


if (empty($_POST) === false && empty($errors) === true) {
    if(change_password($session_user_id, $_POST['password'])) {
        // Redirect if change_password returns true
        header('Location: changepassword.php?success');
    } else {
        // Give some error message
    }
} else if (empty($errors) === false) {
    echo output_errors($errors);
}

尝试这些更改,如果 change_password 函数返回 false,我不知道您要如何处理错误。

于 2013-03-28T00:58:52.843 回答