1. 首頁
  2. 問答
  3. 數據庫中的密碼字段更改爲0

數據庫中的密碼字段更改爲0

2016-03-21 53 views
0

此代碼不會更改登錄用戶的密碼,而會更改爲0,然後不允許我重新登錄。我瞭解md5不是最安全的,因爲這不會僅僅是一個項目的活躍網站。不過,我接受有關替代方案的建議。我在db中有兩個名爲password和password2的字段,它們在更改密碼後都需要更改。此外,錯誤消息不顯示。數據庫中的密碼字段更改爲0

<?php 
    session_start(); 
    if (!isset($_SESSION["user_login"])) { 
     header("Location: sign_up.php"); 
    } else { 
      $username = $_SESSION["user_login"]; 
    } 

    include ("connect.php"); 


    ?> 

    <?php 

    //Variables 

    if(isset($_POST['change_pass_submit'])){ 

    $oldpassword = $_POST['oldpassword']; 
    $newpassword1 = $_POST['newpassword1']; 
    $newpassword2 = $_POST['newpassword2']; 




     $pass_query = mysqli_query ($connect, "SELECT * FROM users WHERE email='$username'"); 
     while ($row = mysqli_fetch_assoc($pass_query)) { 

      $existing_pass = $row ['password']; 


      //Checking if md5 encrypted password matches 
      $md5_oldpassword = md5($oldpassword); 
      //check if the old password and the old password entered now match 
      if ($md5_oldpassword == $existing_pass){ 
       //check if the two new passwords match 
       if ($newpassword1 == $newpassword2) { 

        $md5_newpassword = md5($newpassword1); 
        $md5_newpassword2 = md5($newpassword2); 
        //Query to update the password 
        $password_update_query = mysqli_query($connect, "UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'"); 

        echo "Your password has now changed!"; 

        } 
        else{ 

         echo "Your new password and re entered password does not match. Please try again."; 
         } 
       } 
       else { 
        echo "Your old password does not match. Please try again."; 
        } 
      } 

     } 


    ?> 
    <div class="container"> 
    <h3> Change your Password: </h3> 
    <form action="" method="POST" enctype="multipart/form-data"> 
     <div class="form-group"> 
      <label for="oldpassword">Old Password:</label> 
      <input type="oldpassword" class="form-control" name="oldpassword" placeholder="Enter old password" > 
     </div> 
     <div class="form-group"> 
      <label for="newpassword1">New Password:</label> 
      <input type="newpassword1" class="form-control" name="newpassword1" placeholder="Enter new password" > 
     </div> 
     <div class="form-group"> 
      <label for="newpassword2">New Password:</label> 
      <input type="newpassword2" class="form-control" name="newpassword2" placeholder="Re-Enter new password" > 
     </div> 
     <center> 
     <button type="submit" class="btn btn-primary" name="change_pass_submit" style=" background-color:#337AB7; color:white;">Change Password</button> 
     </center> 

    </form> 
    </div>

來源

2016-03-21 N.Singh

+0

出於好奇,爲什麼你在表中存儲相同的值*兩次? – David

+0

...爲什麼MD5?你有沒有多次看過*「回到未來」? –

+0

@David在用戶註冊時進行驗證。 –

回答

2

您在查詢中有一個錯誤:

"UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'"

它應該是:

"UPDATE users SET password='$md5_newpassword', password2='$md5_newpassword2' WHERE email='$username'"


但是,在查詢中錯誤的是的大問題在這裏。最大的問題是,你的代碼是極不安全

  1. 它很容易受到sql injection
    惡意打算能做什麼他們喜歡與您的數據庫。您應該開始使用prepared statements(在PHP中查看PDO)。
  2. 您的密碼沒有正確散列!
    使用PHP的構建中的功能:password_hashpassword_verify代替md5(該md5散列算法是古老與它的幾個問題已被確定爲密碼散列,問題是,它的設計是快速快意味着它。 easy to crack。快速意味着專門的硬件可以做到350 billion guesses per second)。

來源

2016-03-21 18:07:45 Jacco

相關問題

 相關問題