我在PHP中创建了一个更改密码脚本，它不能正常工作[关闭]

I have the following code, and it will not work. I am currently working on a simple change password feature for a system and cant get it to function correctly. i was wondering if i was overlooking a really simple solution?

<?php    
    $con = mysql_connect("localhost","root");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }

    $username = $_POST['userid'];  
    $password = $_POST['cpword'];
    $newpassword = $_POST['pword'];
    $confirmnewpassword = $_POST['pword2'];

    $result = mysql_query("SELECT username, pword FROM login WHERE username='$username'");

    if(!$result) {
        echo "The username entered does not exist!";
    } else
        if($password != mysql_result($result, 0)) {
            echo "Entered an incorrect password";
        }

    if($newpassword == $confirmnewpassword) {
        $sql = mysql_query("UPDATE login SET pword = '$newpassword' WHERE username = '$username'");     
    }

    if(!$sql) {
        echo "Congratulations, password successfully changed!";
    } else {
        echo "New password and confirm password must be the same!";
    }       
?>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douyu9433 2012-09-11 14:51
关注
OK there are alot of things wrong with this code so I've rewritten it to be up to date and not at all dangerous (mostly).

I'm not hashing the passwords here like you really should but you can do it quite simply with a bit of reading ( try this: Secure hash and salt for PHP passwords )

For a comprehensive list of the exact problems and solutions to those problems, take a look at @Bondye's post or the comments on the OP's question.

Disclaimer: not tested so might have a few syntax errors. this is still not fantastic but it's a much better starting point than the original code. See below for a list of what I've changed and why.

Here goes...

<?php $host = "localhost"; $database = "yourdatabase"; $username_db = "root"; $password_db = "databasepassword"; $con = mysqli_connect($hostname, $username_db, $password_db, $database) or die(mysqli_error($con)); $username = $_POST['userid']; $newpassword = $_POST['pword']; $confirmnewpassword = $_POST['pword2']; if($newpassword == $confirmnewpassword) { //password & password confirm match, do the update $query = sprintf("UPDATE login SET pword=%s WHERE username=%s", mysql_real_escape_string($newpassword), mysql_real_escape_string($username)); $sql = mysqli_query($query, $con) or die(mysqli_error($con); if($sql) { echo "Congratulations, password successfully changed!"; } else { //sql error or update didn't work? echo 'generic failure message'; } } else { //new password and confirm password weren't the same. echo "New password and confirm password must be the same!"; } ?>

Changes: Removed the query to look for a username - personal choice really but I don't see the point in querying the DB to see if the user exists when you are going to be doing an implicit search for that user in the update query. Secondly, you should have logged them in before they can access this script, so there should be no question about whether the user exists or not.

Changed mysql functions to their mysqli equivelants.

Simplified and cleaned up the mess of if tests and put validation before the query itself. This is better as you shouldn't tell your users what you have in your database as this is useful information for attackers and not at all useful for users who should already be logged in by this point.

Hope this helps and open to corrections.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

悬赏问题

¥15 yolov7训练自己的数据集
¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)（相关搜索：51单片机|单片机|测试代码）
¥15 电力市场出清matlab yalmip kkt 双层优化问题
¥30 ros小车路径规划实现不了，如何解决？(操作系统-ubuntu)
¥20 matlab yalmip kkt 双层优化问题
¥15 如何在3D高斯飞溅的渲染的场景中获得一个可控的旋转物体
¥88 实在没有想法，需要个思路
¥15 MATLAB报错输入参数太多
¥15 python中合并修改日期相同的CSV文件并按照修改日期的名字命名文件
¥15 有赏，i卡绘世画不出

我在PHP中创建了一个更改密码脚本，它不能正常工作[关闭]

2条回答 默认 最新

悬赏问题

2条回答默认最新