在PHP中更改密码
我在PHP中更改密码脚本,我想要做的是从前一个屏幕中输入用户输入的变量,然后将它们与MySQL数据库进行比较。如果旧密码与他们放入的不匹配,我希望它失败并出现错误。这是我到目前为止的代码..但我知道比较一个字符串与变量不会工作,但需要知道如何转换它们,以便他们可以比较。以下是有问题的页面。在PHP中更改密码
密码当前存储在数据库的普通txt中,但稍后将更改为md5。问题是如何将输入值与从db中拉出的值进行比较?
<html>
<head>
<title>Password Change</title>
</head>
<body>
<?php
mysql_connect("localhost", "kb1", "BajyXhbRAWSVKPsA") or die(mysql_error());
mysql_select_db("kb1") or die(mysql_error());
$todo=mysql_real_escape_string($_POST['todo']);
$username=mysql_real_escape_string($_POST['userid']);
$password=mysql_real_escape_string($_POST['password']);
$password2=mysql_real_escape_string($_POST['password2']);
$oldpass=mysql_real_escape_string($_POST['oldpass']);
/////////////////////////
if(isset($todo) and $todo == "change-password"){
//Setting flags for checking
$status = "OK";
$msg="";
//MYSQL query to pull the current password from the database and store it in $q1
$results = mysql_query("SELECT password FROM kb_users WHERE username = '$username'") or die(mysql_error());
$q1 = mysql_fetch_array($results);
//print_r($q1)
//changing the string $oldpass to using the str_split which converts a string to an array.
//$oldpass1 = str_split($oldpass,10);
if(!$q1)
{
echo "The username <b>$username</b> does not exist in the database. Please click the retry button to attempt changing the password again. <BR><BR><font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>"; die();
}
if ($oldpass == $q1){
$msg = $msg. "The provided password <b>$oldpass</b> is not the same as what is in the database. Please click the retry button to attempt changing the password again.<BR><br>";
$status = "NOTOK";}
/*
if ($q1 <> $oldpass1) {
$msg = $msg. "The provided password <b>$oldpass</b> is not the same as what is in the database. Please click the retry button to attempt changing the password again.<BR><br>";
$status = "NOTOK"; }
*/
if (strlen($password) < 3 or strlen($password) > 10){
$msg=$msg. "Your new password must be more than 3 char legth and a maximum 10 char length<BR><BR>";
$status= "NOTOK";}
if ($password <> $password2){
$msg=$msg. "Both passwords are not matching<BR>";
$status= "NOTOK";}
if($status<>"OK")
{
echo "<font face='Verdana' size='2' color=black>$msg</font><br><center> <input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
else {
// if all validations are passed.
if (mysql_query("UPDATE kb_users SET password='$password' where username='$username'") or die(mysql_error()));
{
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password has been changed successfully. Please keep changing your password for better security</font></center>";
}
}
}
?>
</body>
</html>
首先,建议不要直接在查询中使用POST数据。你最好先逃避这些数据,以避免注射。
另外,我认为你使用if的方式不是最好的方法。我认为不需要状态变量。这是肯定的。 $status
在测试它的值之前设置为NOTOK
。所以它永远是NOTOK
,这会导致你的脚本永远不会更新任何密码。
我改变了你的测试结构,在我看来,更好的一个。仔细看看你想测试什么,因为现在你的测试都混在一起了。
<html>
<head>
<title>Password Change</title>
</head>
<body>
<?php
// MySQL connection details
$todo=mysql_real_escape_string($_POST['todo']);
$username=mysql_real_escape_string($_POST['userid']);
$password=mysql_real_escape_string($_POST['password']);
$password2=mysql_real_escape_string($_POST['password2']);
$oldpass=mysql_real_escape_string($_POST['oldpass']);
if(isset($todo) and $todo == "change-password"){
$results = mysql_query("SELECT password FROM kb_users WHERE username = '$username'") or die(mysql_error());
$q1 = mysql_fetch_array($results);
if (!$q1) {
// The user does not exist in the database.
}
if ($oldpass == $q1) {
// The current password matches the input from the oldpass field.
if (strlen($password) > 3 or strlen($password) < 10) {
// Password meets requirements
if ($password == $password2) {
//Passwords match, update the password in the database
}
else {
// The new passwords do not match.
}
}
else {
// Password is too short/long
}
}
}
?>
</body>
感谢Sander更新密码之前,状态不会更新为“NOTOK”,除非2个新密码不匹配。我测试了字符串长度和匹配的密码。我遇到的问题是从数据库中提取当前密码,然后将其与用户输入的旧密码进行比较。密码现在以纯文本形式存储在db中,但稍后将更改为散列或md5。 所以这就是问题在哪里比较输入的东西从db – mcj212 2012-03-24 16:13:42
@ mcj212拉啊等等,我的坏。你现在将一个数组与一个字符串进行比较。您应该指定要比较的数组的哪个元素。你应该使用'$ q1 ['field_name']'。所以,在你的情况下'$ q1 ['password']'。 – Sander 2012-03-24 18:00:48
您的代码很容易出现http://en.wikipedia.org/wiki/SQL_injection – 2012-03-23 23:49:20
你是如何存储在你的数据库密码? – 2012-03-23 23:50:16
很好。你有什么问题?查看http://*.com/questions/how-to-ask获取有关问好(和可回答)问题的指南。 – Hamish 2012-03-23 23:57:36