douwo1862
2012-09-11 14:27
浏览 30
已采纳

我在PHP中创建了一个更改密码脚本,它不能正常工作[关闭]

I have the following code, and it will not work. I am currently working on a simple change password feature for a system and cant get it to function correctly. i was wondering if i was overlooking a really simple solution?

<?php    
    $con = mysql_connect("localhost","root");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }

    $username = $_POST['userid'];  
    $password = $_POST['cpword'];
    $newpassword = $_POST['pword'];
    $confirmnewpassword = $_POST['pword2'];

    $result = mysql_query("SELECT username, pword FROM login WHERE username='$username'");

    if(!$result) {
        echo "The username entered does not exist!";
    } else
        if($password != mysql_result($result, 0)) {
            echo "Entered an incorrect password";
        }

    if($newpassword == $confirmnewpassword) {
        $sql = mysql_query("UPDATE login SET pword = '$newpassword' WHERE username = '$username'");     
    }

    if(!$sql) {
        echo "Congratulations, password successfully changed!";
    } else {
        echo "New password and confirm password must be the same!";
    }       
?>

图片转代码服务由CSDN问答提供 功能建议

我有以下代码,它不起作用。 我目前正在为系统开发一个简单的更改密码功能,并且无法使其正常运行。 我想知道我是否忽略了一个非常简单的解决方案?

 &lt;?php 
 $ con = mysql_connect(“localhost”,“root”); 
 if(n)  !$ con){
 die('无法连接:'。mysql_error()); 
} 
 
 $ username = $ _POST ['userid'];  
 $ password = $ _POST ['cpword']; 
 $ newpassword = $ _POST ['pword']; 
 $ confirmnewpassword = $ _POST ['pword2']; 
 
 $ result = mysql_query(“SELECT  username,pword FROM login WHERE username ='$ username'“); 
 
 if if(!$ result){
 echo”输入的用户名不存在!“; 
} else 
 if($ password!  = mysql_result($ result,0)){
 echo“输入了错误的密码”; 
} 
 
 if($ newpassword == $ confirmnewpassword){
 $ sql = mysql_query(“UPDATE login SET pword =  '$ newpassword'WHERE username ='$ username'“);  
 
 
 
如果(!$ sql){
 echo“恭喜,密码已成功更改!”; 
}其他{
 echo“新密码和确认密码必须相同!”; 
}  
?&gt; 
   
 
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douyu9433 2012-09-11 14:51
    已采纳

    OK there are alot of things wrong with this code so I've rewritten it to be up to date and not at all dangerous (mostly).

    I'm not hashing the passwords here like you really should but you can do it quite simply with a bit of reading ( try this: Secure hash and salt for PHP passwords )

    For a comprehensive list of the exact problems and solutions to those problems, take a look at @Bondye's post or the comments on the OP's question.

    Disclaimer: not tested so might have a few syntax errors. this is still not fantastic but it's a much better starting point than the original code. See below for a list of what I've changed and why.

    Here goes...

    <?php
        $host = "localhost";
        $database = "yourdatabase";
        $username_db = "root";
        $password_db = "databasepassword";
        $con = mysqli_connect($hostname, $username_db, $password_db, $database) or die(mysqli_error($con));
    
        $username = $_POST['userid'];  
        $newpassword = $_POST['pword'];
        $confirmnewpassword = $_POST['pword2'];
    
        if($newpassword == $confirmnewpassword)
        {
            //password & password confirm match, do the update
            $query = sprintf("UPDATE login SET pword=%s WHERE username=%s",
                              mysql_real_escape_string($newpassword),
                              mysql_real_escape_string($username));                    
            $sql = mysqli_query($query, $con) or die(mysqli_error($con);     
            if($sql)
            {
                echo "Congratulations, password successfully changed!";
            } 
            else
            {
                //sql error or update didn't work?
                echo 'generic failure message';
            }        
        }
        else
        {
            //new password and confirm password weren't the same.
            echo "New password and confirm password must be the same!";
        }    
    
    ?>
    

    Changes: Removed the query to look for a username - personal choice really but I don't see the point in querying the DB to see if the user exists when you are going to be doing an implicit search for that user in the update query. Secondly, you should have logged them in before they can access this script, so there should be no question about whether the user exists or not.

    Changed mysql functions to their mysqli equivelants.

    Simplified and cleaned up the mess of if tests and put validation before the query itself. This is better as you shouldn't tell your users what you have in your database as this is useful information for attackers and not at all useful for users who should already be logged in by this point.

    Hope this helps and open to corrections.

    打赏 评论
  • dongzhi5587 2012-09-11 14:34

    Ok because of this dangerous script that is going to infect the internet I advice you some.

    1. Use hash to save passwords, Nobody want a visible password.
    2. Never tell a user what you have in your database like the Entered an incorrect password notice tells me that I found a username so my bruteforce is 100x easier.
    3. And what people shout all over the net is: STOP USING MYSQL Step to PDO or mysqli
    4. Last but not least: Ever heard about mysql injections?
    打赏 评论