在我忘记密码时,您输入您的电子邮件,它会生成 2 个令牌,一个是令牌,一个是重置令牌
这是发送到电子邮件的链接
http://example/user/password-reset/578846722?token=5e19641a37208577509eff40f91a6e66cfc5a8985c3ed5323456b83041970a4d
重置令牌578846722
令牌 5e19641a37208577509eff40f91a6e66cfc5a8985c3ed5323456b83041970a4d
单击链接后,它会将他们带到密码页面,其中输入密码和确认密码。 在页面上,我的密码重置函数被调用如下
<?php password_reset();?>
当页面被打开时,第一个检查是确保令牌和重置令牌与用户匹配,该
该页面应允许用户使用确认密码输入新密码,并在进行表单检查后进行更新。 但它忽略了密码检查
function password_reset()
{
if (isset($_GET['reset_token'], $_GET['token']) && ($_SERVER['REQUEST_METHOD'] === "GET")) {
$db = DB_CONNECT();
$stmt = $db->prepare("SELECT email, confirm_code, reset_token
FROM users
WHERE confirm_code = ? AND reset_token = ?");
$stmt->bind_param('ss', $_GET['token'], $_GET['reset_token']);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
if (mysqli_num_rows($result) === 0) {
set_message("Unable to locate account with provided data.", WARNING);
redirect_to_url("/user/login");
}
while ($row = mysqli_fetch_assoc($result)) {
if (($_SERVER['REQUEST_METHOD'] === "POST") && $_POST['password'] === $_POST['confirm_password']) {
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
if (empty($password)) {
$errors[] = "Password required.";
}
if (empty($confirm_password)) {
$errors[] = "Confirm Password required.";
}
if (!empty($errors)) {
echo form_errors($errors[0], DANGER);
}
} else {
echo "Updated";
}
}
}
}
代码永远不会到达while内的if,因为您将它放在检查REQUEST_METHOD是否为 GET 的第一if中,而另一个检查REQUEST_METHOD是否为 POST。
这就是为什么当页面出现时它会回显"已更新"的原因。因为它是一个GET请求,那么在里面它期望一个POST,这是假的,然后其他说echo更新。
但是当您发送表单(这是一个 POST 请求)时,它甚至不会进入第一个if。
试试这个:
function password_reset()
{
// if you need a get response using the same route/function, you can do it like
//
// if ($_SERVER['REQUEST_METHOD'] === "GET") {
// // do your stuff
// }
if (isset($_GET['reset_token'], $_GET['token']) && ($_SERVER['REQUEST_METHOD'] === "POST")) {
$db = DB_CONNECT();
$stmt = $db->prepare("SELECT email, confirm_code, reset_token
FROM users
WHERE confirm_code = ? AND reset_token = ?");
$stmt->bind_param('ss', $_GET['token'], $_GET['reset_token']);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
if (mysqli_num_rows($result) === 0) {
set_message("Unable to locate account with provided data.", WARNING);
redirect_to_url("/user/login");
}
while ($row = mysqli_fetch_assoc($result)) {
if (empty($_POST['password'])) {
$errors[] = "Password required.";
}
if (empty($_POST['confirm_password'])) {
$errors[] = "Confirm Password required.";
}
if (!empty($errors)) {
echo form_errors($errors[0], DANGER);
}
else if ($_POST['password'] === $_POST['confirm_password']) {
echo "Updated";
}
else {
// case password is different from confirm_password, do your error stuff
}
}
}
}