dongyun6229 2017-06-12 16:19
浏览 82
已采纳

使用php和MySQL创建密码重置页面很困难

Afternoon.

I am trying to create a password reset page using php. Upon clicking the reset button I get my password reset successful message but no changes have been made to my database.

Any help would be appreciated.

<?php
  session_start();
  $_SESSION['message'] = '';
  $mysqli = new mysqli("localhost", "User", "password", "DarrenOBrien");

  if ($_SESSION['loggedin']) {
    if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {

      $email=$_SESSION('email');
      $result = $mysqli->query("SELECT * FROM accounts WHERE userEmail='$email'") or die($mysqli->error);

      $user = $result->fetch_assoc();
        if (password_verify($_POST['oldpassword'], $user['userPassword'])) {
          if (($_POST['newpassword'] == $_POST['confirmnewpassword'])) {
            $newpass=password_hash($_POST['confirmnewpassword'], PASSWORD_BCRYPT);
            $sql = "UPDATE accounts SET userPassword='$newpass' WHERE userEmail='$email'";
            $_SESSION['message'] = 'Password reset successful';
          }
          else {
            $_SESSION['message'] = 'Passwords do not match. Please try again.';
          }
        }
        else {
          $_SESSION['message'] = 'Old password does not match password in records. Please try again.';
        }



    }
  }
  else {
    header('location: register.php');
  }

?>


<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>Login</title>
  <link rel="stylesheet" href="css/bootstrap.min.css">
  <link rel="stylesheet" href="css/styles.css">
</head>

<body>
  <!--Navbar-->
   <nav class="navbar navbar-inverse">
     <div class="container">
       <div class="navbar-header">
         <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
           <span class="sr-only">Toggle navigation</span>
           <span class="icon-bar"></span>
           <span class="icon-bar"></span>
           <span class="icon-bar"></span>
         </button>
         <a class="navbar-brand" href="welcome.php">PHP Project </a>
       </div>
       <div id="navbar" class="collapse navbar-collapse">
         <ul class="nav navbar-nav">
           <li><a href="welcome.php">Home</a></li>
           <li class="active"><a href="profile.php">Profile</a></li>
           <li><a href="products.php">Products</a></li>
         </ul>
         <a href="logout.php" class="navbar-brand pull-right">Logout</a>
       </div>
     </div>
   </nav>
   <!--End of Navbar-->


   <div class="container-fluid" id="profile">
     <form action="reset.php" method="post" enctype="multipart/form-data" autocomplete="off">
      <div class="alert-error"><?= $_SESSION['message'] ?></div>

       <div class="form-group">
         <label for="oldpass">Old Password:</label>
         <input type="password" class="form-control" id="oldpass" placeholder="Password" name="oldpassword" autocomplete="new-password" minlength="4" required />
       </div>

       <div class="form-group">
         <label for="newpass">New Password:</label>
         <input type="password" class="form-control" id="newpass" placeholder="Password" name="newpassword" autocomplete="new-password" minlength="4" required />
       </div>

       <div class="form-group">
         <label for="confirmnewpass">Confirm New Password:</label>
         <input type="password" class="form-control" id="confirmnewpass" placeholder="Password" name="confirmnewpassword" autocomplete="new-password" minlength="4" required />
       </div>

       <input type="submit" value="Reset Password" name="reset" class="btn btn-block btn-primary" id="resetbtn"/>
     </form>
   </div>

<!-- Required bootstrap scripts -->
  <script src="js/jquery-3.2.1.min.js"></script>
  <script src="js/bootstrap.min.js"></script>
<!-- End of required bootstrap scripts -->
</body>
  • 写回答

3条回答 默认 最新

  • douyou1857 2017-06-12 16:30
    关注

    I would like to direct your eyes to this piece of code here

    if (($_POST['newpassword'] == $_POST['confirmnewpassword'])) {
        $newpass=password_hash($_POST['confirmnewpassword'], PASSWORD_BCRYPT);
        $sql = "UPDATE accounts SET userPassword='$newpass' WHERE 
        userEmail='$email'";
        $_SESSION['message'] = 'Password reset successful';
      }

    Here your $sql variable holds an sql statement, that is, a plain text string that currently does nothing, you have to execute it, much like you executed the select query above

    if ($mysqli->query($sql) === TRUE) {
    $_SESSION['message'] = 'Password reset successful'; 
} else {
    $_SESSION['message'] = "Error updating record: " . $mysqli->error;
}

    As taken from w3Schools

    Also if that's the whole extent of your endpoint, you should remember to close the connection, calling the close method of your mysqli class instance

    Last but not least, I would strongly recommend that you do not use the class name (mysqli) as your instance name ($mysqli), just for the sake of good practice

    EDIT:

    The comments received are right indeed, my answer is quite poor at this point, so let's take into account a few things

    You should use prepared statements instead of throwing variables directly at the sql query, someone that's clever enough could use that to inject sql statements to your database

    Please correct me if I'm wrong but this could be a lot safer this way:

    //Email select query part
$email= $mysqli->real_escape_string($_SESSION['email']);
$stmt = $mysqli->prepare("SELECT * FROM accounts WHERE userEmail=(?)")
if (!$stmt->bind_param("s", mysqli->$email)) {
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
    //handle error code, disrupt execution...
}

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
    //handle error code, disrupt execution...
}


//Update part
$newpass=password_hash(
    $mysqli->real_escape_string($_POST['confirmnewpassword']),
    PASSWORD_BCRYPT);
$stmt = mysqli->prepare("UPDATE accounts SET userPassword=(?) WHERE 
userEmail=(?)");
if (!$stmt->bind_param("ss", $newpass,$email)) {
    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
    //handle error code, disrupt execution...
}

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
    //handle error code, disrupt execution...
}
$_SESSION['message'] = 'Password reset successful';

    Now I'm sure this can be refactored in much more efficient ways, but I hope I helped OP see what's up with his code

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)
  • ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。