小贝子编程

使用 PHP 和 AJAX 更改 mysql 密码



>我正在尝试更改密码模式。我的问题是,如果我想更新密码,它会打印:"用户名不正确"。如何解决这个问题?我正在使用密码 = 密码方法来散列密码。我正在尝试将参数与 $_SESSION["用户名"] 绑定,但它不起作用。

索引.php

<form name="resetform" action="changepass.php" id="resetform" class="passform" method="post" role="form">
<h3>Change Your Password</h3>
<br />
<input type="text" name="username" value="<?php echo $_SESSION["username"]; ?>" ></input>
<label>Enter Old Password</label>
<input type="password" class="form-control" name="old_password" id="old_password">
<label>Enter New Password</label>
<input type="password" class="form-control" name="new_password" id="new_password">
<label>Confirm New Password</label>
<input type="password" class="form-control"  name="con_newpassword"  id="con_newpassword" />
<br>
<input type="submit" class="btn btn-warning" name="password_change" id="submit_btn" value="Change Password" />
</form>
<!--display success/error message-->
<div id="message"></div>
<script>
$(document).ready(function() {
var frm = $('#resetform');
frm.submit(function(e){
e.preventDefault();
var formData = frm.serialize();
formData += '&' + $('#submit_btn').attr('name') + '=' + $('#submit_btn').attr('value');
$.ajax({
type: frm.attr('method'),
url: frm.attr('action'),
data: formData,
success: function(data){
$('#message').html(data).delay(3000).fadeOut(3000);
},
error: function(jqXHR, textStatus, errorThrown) {
$('#message').html(textStatus).delay(2000).fadeOut(2000);
}
});
});
});
</script>

换乘.php

include_once 'include/connection.php';
if (isset($_POST['password_change'])) {
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['old_password']);
$newpassword = strip_tags($_POST['new_password']);
$confirmnewpassword = strip_tags($_POST['con_newpassword']);
// match username with the username in the database
$sql = "SELECT * FROM `user` WHERE `username` = ? AND password = PASSWORD(?)";
$query = $connect->prepare($sql);
$query->bindParam(1, $username, PDO::PARAM_STR);
$query->bindParam(2, $password, PDO::PARAM_STR);
if($query->execute() && $query->rowCount()){
$hash = $query->fetch();
if ($password == $hash['password']){
if($newpassword == $confirmnewpassword) {
$sql = "UPDATE `user` SET `password` = PASSWORD(?) WHERE `username` = ?";
$query = $connect->prepare($sql);
$query->bindParam(1, $newpassword, PDO::PARAM_STR);
$query->bindParam(2, $username, PDO::PARAM_STR);
if($query->execute()){
echo "Password Changed Successfully!";
}else{
echo "Password could not be updated";
}
} else {
echo "Passwords do not match!";
}
}else{
echo "Please type your current password accurately!";
}
}else{
echo "Incorrect username";
}
}

你的第一个主要问题是你对strip_tags的使用,我不确定是谁告诉你在输入时这样做的,但这是一种非常糟糕的做法。 如果在密码输入上去除标签,则会降低使用<的任何密码的安全性。

strip_tags('A<dsf$tgee!'); // a strong password of 'A<dsf$tgee!' becomes a weak password of 'A'.

此条件也永远不会计算为 true:

$password == $hash['password']

密码通过MySQL的PASSWORD((函数进行哈希处理,因此纯文本$password永远不会与MySQL中的密码列匹配。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium