-1

我只是 PHP 的新手,我正在尝试创建一个忘记密码的功能,我确实有以下代码

<?php

    $con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("inventory", $con);

$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];

$result = mysql_query("SELECT * from admins " );

while($row = mysql_fetch_array($result))
  { 

  $password = $row['password'] ;

  }
              if($_POST['retypepassword'] != $b){     
                echo "<script type='text/javascript'>alert('Password Not match');
                window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }
             if($_POST['password'] != $password){
                    echo "<script type='text/javascript'>alert('You Provide wrong Password');
                    window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }       
            else {
            mysql_query("UPDATE admins SET password = '$b'
                    WHERE password = '$a' ");
                    header("location: index.php?id=0");
};

?>

现在,问题是我只能更新插入数据库的最后一个帐户。例如,我的数据库中有以下帐户,我想更改“greeg”,这没有任何问题。但是,如果我更改“gejel”(“数据库中的第一个值”),它会显示这个“您提供错误的密码”,我不知道为什么我总是在这里。我想“WHERE”有什么问题吗?请帮助帮助我:D 

id |password |
1  |  gejel  |
2  |  greeg  |
4

2 回答 2

0

将帐户 ID 放入两个查询中并正确转义变量以避免SQL 注入

就像其他用户说不推荐使用 mysql_* 扩展一样,我建议您改用PDO

<?php

    $con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("inventory", $con);

$id=$_POST['id'];
$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];

$result = mysql_query("SELECT * FROM admins WHERE id = '" .$id. "'");

while($row = mysql_fetch_array($result))
  { 

  $password = $row['password'] ;

  }
              if($_POST['retypepassword'] != $b){     
                echo "<script type='text/javascript'>alert('Password Not match');
                window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }
             if($_POST['password'] != $password){
                    echo "<script type='text/javascript'>alert('You Provide wrong Password');
                    window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }       
            else {
            mysql_query("UPDATE admins SET password = '" .$b. "'
                    WHERE id = '" .$id. "'");
                    header("location: index.php?id=0");
};

?>

和今天一样,我心情很好,我会给你一个PDO 示例

常量.php

<?php
define("DB_SERVER", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "inventory");
?>

连接.php

<?php
require("constants.php");
try {
    $con = new PDO('mysql:host=' . DB_SERVER . ';dbname=' . DB_NAME, DB_USER, DB_PASS,
    array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",PDO::ATTR_PERSISTENT => true));
    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    }
catch(PDOException $e)
    {
    echo 'Could not connect: ';
    echo $e->getMessage();
    }
?>

your_file.php

<?php
include("connection.php");

$id=$_POST['id'];
$password=$_POST['password'];
$newpassword=$_POST['newpassword'];
$retypepassword=$_POST['retypepassword'];

$sql = "SELECT * FROM admins WHERE id = :id";

$sth = $dbh->prepare($sql);
$sth->bindValue(':id', $id, PDO::PARAM_INT);
$sth->execute();

while($row = $sth->fetch(PDO::FETCH_ASSOC)) {
    $db_password = $row['password'] ;
}

if($retypepassword != $newpassword){     
    echo "<script type='text/javascript'>alert('Password Not match');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}

if($password != $db_password){
    echo "<script type='text/javascript'>alert('You Provide wrong Password');
window.location.href='forgotpass.php?id=0';
</script>";
exit();

}else {

    $sql = "UPDATE admins SET password = :newpassword WHERE id = :id";

    $sth = $dbh->prepare($sql);
    $sth->bindValue(':newpassword', $newpassword, PDO::PARAM_STR);
    $sth->bindValue(':id', $id, PDO::PARAM_INT);
    $sth->execute();

    if($sth){
        header("location: index.php?id=0");
    }
};
?>

您需要搜索的另一点是PHP 密码的安全哈希和盐

于 2013-10-02T08:51:50.997 回答
0

我相信问题出在你的while循环中。mysql_query 正在选择表中的所有条目,然后您遍历它们,因此将始终以表中的最后一个条目结束。您的查询需要类似于:

$result = mysql_query("SELECT * from admins WHERE id = $id"); <-- added WHERE clause

您需要知道要更改哪个帐户的密码,根据提供的当前密码,您不能这样做。如果两个管理员密码相同怎么办?

其次,这应该是不可能的,因为您应该对密码进行加盐和哈希处理:http: //php.net/manual/en/faq.passwords.php

第三,现在不推荐使用 mysql_* 扩展,您应该立即停止使用它们。请改用 MySQLi 或 PDO_MySQL。在这里阅读大红框:http: //php.net/manual/en/function.mysql-query.php

最后,我建议对 SQL 注入进行一些研究,因为它看起来你的应用程序很可能很容易受到攻击。从偏移量中获取这些东西比稍后尝试修补它们要好,这会让你容易:http ://en.wikipedia.org/wiki/SQL_injection

于 2013-10-02T08:22:54.237 回答