我一直在实现'md5',以将密码保存在数据库中时提供基本的安全性。
当我测试代码,并输入保存在数据库中的正确密码和两个新的匹配密码时,程序将输出'旧密码不匹配'。
我已经阅读了代码,看是否有语法错误,但是我找不到任何语法错误,所以我不知道是什么引起了问题。
非常感谢您的帮助,谢谢。
<html>
<link rel="stylesheet" type="text/css" href="passwordChangeCSS.css">
</html>
<?php
session_start();
$user=$_SESSION['firstName'];
if($user)
{
//if user is logged in
//self submitting form
if (isset($_POST['submit']))
{
//begin to change password
//check fields
$oldPassword=$_POST['oldPassword'];
$newPassword=$_POST['newPassword'];
$RepNewPassword=$_POST['RepNewPassword'];
//check password against db
$connectDB = mysqli_connect("localhost","root","") or die("cant connect"); //proving the database connection details and saving it as a variable
mysqli_select_db($connectDB, "registration"); //table name
$PassQuery=mysqli_query($connectDB, "SELECT password FROM users WHERE firstName='$user'") or die ("query didnt work"); //sql query to select the password relevant to the current user
$row=mysqli_fetch_assoc($PassQuery); //creates array
$oldPasswordInDB=$row['password']; //saves the users current password as a variable
//checks old passwords
$oldPasswordEncrypt=md5($oldPassword);
if (($oldPasswordEncrypt) == ($oldPasswordInDB)){
//check two new passwords
if($newPassword==$RepNewPassword)
{
//if passwords match, success
//change passwords in DB
//update table, change password to new password
$encryptNewPassword=md5($newPassword);
$queryChange=mysqli_query($connectDB, "UPDATE users SET password='$encryptNewPassword' WHERE firstName='$user'");
session_destroy(); //logs user out as they must log back in as they have created a new password
die("your password has been successfully changed. You will now need to log back in. <a href ='logIn.php'>Return</a> to the Log In page");
}
else{
die ("New passwords do not match."); // if the users new passwords dont match eachother, system dies and the user has to re-enter their passwords
}
}
else{
die ("Old password do not match"); //if the users old password that they input doesnt match the one on database, system dies and user has to re-enter their passwords
}
}
else{
//form for password change
echo"
<form class='passwordChange' action='' method='POST'>
<h1>Password Change</h1>
Old Password: <input required type='text' name='oldPassword' placeholder='Enter your old password' ><p>
New Password: <input required type='password' name ='newPassword' placeholder='Enter a new password' ><br/>
Repeat new Password: <input required type='password' name ='RepNewPassword' placeholder='Re-enter your new password' ><p>
<input type='submit' name='submit' value= 'Change password'>
</form>
";
}
}else{
die("you must be logged in to change you password"); //user must be logged in to change password as their password is linked to their account
}
?>
最简单的调试方法是将其添加到脚本中“如果((($ oldPasswordEncrypt)==($ oldPasswordInDB)){”并查看输出是否符合您的期望。
echo $oldPassword . "<br/>";
echo $newPassword . "<br/>";
echo $RepNewPassword . "<br/>";
echo $oldPasswordEncrypt . "<br/>";
echo $oldPasswordInDB . "<br/>";
也要注意所有空白字符,制表符,换行等
另一方面,您不应该使用MD5来保存密码。
相反,您应该使用
$originalpassword = password_hash("password-goes-here", PASSWORD_DEFAULT);
然后,当您需要验证密码使用时
if (password_verify("password-when-trying-to-login", $originalpassword)) {
echo "Password is valid!";
} else {
echo "Invalid password.";
}