我遵循this tutorial为我的网站创建了一个登录系统,到目前为止该系统运行良好。我完全按照步骤操作,创建了所需的所有文件等。用户以自己的身份登录后,可以毫无问题地更改密码。
但是,我现在创建了一个受保护的目录,该目录允许其他用户重置其他用户的密码(以防其他人忘记了他们的密码)。此代码如下:
(除了一些样式元素(例如,位于该代码其余部分上方的菜单栏),我已经包含了该页面的所有代码。虽然我知道这可能不是最好的方法,但我还是想确保我为您提供了尽可能多的信息。)
<?php
// Initialize the session
session_start();
// Check if user is logged in. If N, return to /login/
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: /login/");
exit;
} ?>
<!DOCTYPE html>
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>DAT Room Bookings</title>
<meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Scales to mobile -->
<link rel="stylesheet" type="text/css" href="style.css"> <!-- System style -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <!-- Icons -->
<link href="https://fonts.googleapis.com/css?family=Lato&display=swap" rel="stylesheet"> <!-- System font -->
<link rel="stylesheet" href="scripts/lightbox2-2.11.1/src/css/lightbox.css" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <!-- Drop Down Images -->
<script src="scripts/lightbox2-2.11.1/src/js/lightbox.js"></script> <!-- Lightbox Images -->
</head>
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $username, $password, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div style="padding-left:25%; padding-right:25%; padding-top:10px">
<p><strong>User ID:</strong> <?php echo $id; ?></p>
<strong>Username:</strong> <input type="text" name="username" value="<?php echo $username; ?>" readonly /><br/>
<strong>Enter New Password: *</strong> <input type="text" name="password" value=""/><br/>
<p>* Required</p>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$username = mysql_real_escape_string(htmlspecialchars($_POST['username']));
$password = mysql_real_escape_string(htmlspecialchars($_POST['password']));
$hashed = password_hash('$password', PASSWORD_DEFAULT);
// check that password fields are both filled in
if ($password == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $username, $password, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE users SET username='$username', password='$hashed' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM users WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$username = $row['username'];
$password = $row['password'];
// show form
renderForm($id, $username, $password, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>该表格正确显示,并提取用户的ID和用户名。我设置的密码哈希与在网站的更改密码功能中看到的密码哈希相同(使用默认值)。当我尝试重置其他用户的密码时,我在phpmyadmin中看到哈希值已更改,这意味着更改已正确通过。
但是,这就是问题所在,当该用户随后尝试使用新密码再次登录时,会被告知他们密码不正确。我并排查看了代码,但是我必须承认,作为PHP的新手,我几乎不知道本教程中大多数代码在做什么,这就是为什么我尝试创建此功能的原因我自己就是一个简化版本,可以执行此功能。
抱歉,如果这是一个直接的错误,但我真的听不懂。
您在此处将密码另存为
$hashed = password_hash('$password', PASSWORD_DEFAULT);
您不需要在$ password周围使用单引号。此外,您确定在登录页面中验证凭据时,是否使用了类似的逻辑?可能像
$user['password'] == password_hash($_POST['password'],PASSWORD_DEFAULT)
从数据库中检索$ user的位置。