您的if語句和括號在代碼中非常混淆。我想我明白你想要做什麼,但是......但你應該真的通過你自己的代碼,並給一切正確的縮進。
我將您的代碼更改爲使用pdo
。
我爲舊用戶密碼添加了一個POST值,因爲即使它們已經登錄,您也應該在更新用戶密碼時真正驗證該值。您將需要爲此形式添加一個字段,它是正在發送。如果你不想使用它,你只需要從代碼中取出邏輯。
而且 - 我真的希望你不是以純文本形式存儲密碼。如果你是,請告訴我你的確切的PHP版本是在這篇文章下面的評論,我可以更新我的答案,以顯示你將如何去存儲和使用哈希密碼。不過,它確實取決於版本。
<?php
session_start();
$_POST['fname'] = 'fname';
$_POST['newpword'] = 'newpword';
$_POST['username'] = 'username';
$name = (isset($_POST['fname'])) ? $_POST['fname'] : die("\$_POST['fname'] is not set");
$newp = (isset($_POST['newpword'])) ? $_POST['newpword'] : die("\$_POST['newpword'] is not set");
$user = (isset($_POST['username'])) ? $_POST['username'] : die("\$_POST['username'] is not set");
// you should get the old password, too,
// so you can verify that it's the correct user
$_POST['oldpass'] = 'password';
$oldp = (isset($_POST['oldpass'])) ? $_POST['oldpass'] : die("\$_POST['oldpass'] is not set");
$pdo = new PDO("mysql:host=localhost;dbname=test", 'root', 'password');
$stmt = $pdo->prepare("SELECT password FROM admin WHERE fname=:fname AND username=:user");
$stmt->bindParam(':fname', $name);
$stmt->bindParam(':user', $user);
$success = $stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($success===false) {
print "an error occurred in the query <br/>".print_r($stmt->errorInfo(),true);
}
elseif ($success!==false && $result===false)
{
print "that username was not found in the database";
}
else
{
if ($result['password']==$oldp)
{
$stmt2 = $pdo->prepare("UPDATE admin SET password=:newp where fname=:fname");
/* You should really HASH this password before storing it*/
$stmt2->bindParam(':newp', $newp);
$stmt2->bindParam(':fname', $name);
$success2 = $stmt2->execute();
if ($success2!==false)
{
echo "Password change successfully";
echo"<br>";
echo"<a href=index.php> Click here to signin </a>";
}
else
{
print "an error occurred updating the password <br/>";
}
}
else
{
print "old password didn't match";
}
}
?>
1)該腳本容易受到sql注入的影響。 2)msyql_ *已棄用。使用mysqi或PDO .. – skrilled