dongsimu4422 2014-04-16 10:27
浏览 11
已采纳

即使传递了所有验证,也无法更新密码

Could you check whats wrong with my code? Cause it passes the validations but doesn't update my old password with a new one... i even try to echo values after successful UPDATE and at the end it returns me my old password instead of new one.

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Profilio redagavimas</title>
<link href="CSS/stilius.css" rel="stylesheet" type="text/css"/>
<link href="CSS/menu.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<?php require("includes/validate.php");?>
<?php require("includes/stilius.php");?>
<?php
echo "Jūsų vardas: ".$row["name"]."<br>";
echo "Jūsų miestas: ".$row["city"]."<br>";
echo "Jūsų telefono numeris: ".$row["phone"]."<br>";
if(strlen($row["web"]) > 0)
    echo "Jūsų svetainės adresas: ".$row["web"]."<br>";
else
    echo "Registracijos metu neįvedėte savo svetainės adreso."."<br>";
    echo "pass";
?>

<form method='post' action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
                <td>Old Password:</td>                  
                <td><input name='oldpw' type='password' required='required'/></td>
            <tr>
                <td>New Password:</td>
                <td><input name='newpw' type='password' required = 'required' /></td>
            <tr>                    
                <td>Confirm Password:</td>                  
                <td><input name='conpw' type='password' required = 'required' /></td>
                <td> 
                <input type='submit' value='Pakeisti slaptažodį' />
                </td>
            </tr> 
</form>
<?php
if (isset($_POST['newpw'])){    
$newpwd = mysql_real_escape_string(md5($_POST['newpw']));
if (md5($_POST['oldpw'])== $row['pass'])
{
    if ($_POST['newpw']==$_POST['conpw'])
    {
        if(mysql_query("UPDATE vartotojai SET pass='$newpwd' WHERE 'V_ID' = '{$_SESSION['user_id']}'"))
        {
            echo $newpwd."<br>";
            echo $_SESSION['user_id']."<br>";
            echo "Slaptažodis sėkmingai pakeistas"."<br>";
            echo $row['pass'];
        }
        else {echo "Klaida: " .mysql_error();}
    }
    else { echo "Slaptažodžiai nesutampa"; }
}

else { echo "Įvestas blogas senas slaptažodis";}
}
?>
<?php mysql_close(); ?>

<?php require("includes/footer.php");?>      
</body>
</html>

EDIT: SOLVED Thanks to Shankar Damodaran.

  • 写回答

2条回答 默认 最新

  • duanguan3863 2014-04-16 10:41
    关注
    $newpwd = mysql_real_escape_string(md5($_POST['newpw']));

    The approach within this single line is completely wrong for several reasons:

    1. You allow several passwords to match the same hash because of the escaping. Thus, the order is wrong and should be:

      $newpwd = mysql_real_escape_string(md5($_POST['newpw']));

    2. One step further, you don't even need to escape an md5 hash because it only consist of alpha-numeric hex digits:

      $newpwd = md5($_POST['newpw']);

    3. Using md5 password hashing without salt is 100% equal to using clear-text passwords. Even with salt, it's still very unsecure. Alternatives:

      http://php.net/function.password-hash

      https://github.com/ircmaxell/password_compat

    The issue itself is in the UPDATE:

    "UPDATE vartotojai SET pass='$newpwd' WHERE 'V_ID' = '{$_SESSION['user_id']}'"

    Should be

    "UPDATE vartotojai SET pass='" . $newpwd . "' WHERE V_ID = '" . $row["V_ID"] . "'"

    Using the V_ID you already selected (I guess you have) is more secure than using something from the session. Normal single quotes arround columns tell MySQL "this is not a column".

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 基于单片机的靶位控制系统
  • ¥15 AT89C51控制8位八段数码管显示时钟。
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错