2013-11-28 138 views
0

這裏是我的腳本更改密碼不起作用

當我提交不在數據庫 更新的數據,我想作一次更改密碼具有如MD5轉換爲發送到數據庫。 這裏是我的代碼,我貼下面

<?php 
//* 
// teacher_change_password.php 
// Teachers Section 
// Form to change password 
//* 

//Check if teacher is logged in 
session_start(); 
if(!isset($_SESSION['UserID']) || $_SESSION['UserType'] != "T") 
    { 
    header ("Location: index.php?action=notauth"); 
    exit; 
} 

//Inizialize databse functions 
include_once "ez_sql.php"; 
//Include global functions 
include_once "common.php"; 

// Include configuration 
include_once "configuration.php"; 

$tfname=$_SESSION['tfname']; 
$tlname=$_SESSION['tlname']; 
$user_id=$_SESSION['UserId']; 
$action=get_param("action"); 

if($action=="update"){ 
    $tpass=tosql(get_param("password"), "Text"); 
    $tpass=md5($tpass); 
    $sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'"; 
    $db->query($sSQL); 
}else{ 
    $sSQL="SELECT web_users_password FROM web_users WHERE web_users_id='". $user_id ."'"; 
    $tpass=$db->get_var($sSQL); 

}; 

?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 

<html xmlns="http://www.w3.org/1999/xhtml"> 

<head> 
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> 
<title><?php echo _ADMIN_MAIN_MENU_TITLE?></title> 
<style type="text/css" media="all">@import "student-teacher.css";</style> 
<link rel="icon" href="favicon.ico" type="image/x-icon"><link rel="shortcut icon" href="favicon.ico" type="image/x-icon"> 
<SCRIPT language="JavaScript"> 
/* Javascript function to submit form and check if field is empty */ 
function submitform(fldName) 
{ 
    var f = document.forms[0]; 
    var t = f.elements[fldName]; 
    if (t.value!="") 
    f.submit(); 
    else 
    alert("You have to enter a value !"); 
} 
</script> 
<script type="text/javascript" language="JavaScript" src="sms.js"></script> 
</head> 

<body> 
<?php include "teacher_header.php"; ?> 
<div id="Header"> 
<table width="100%"> 
    <tr> 
    <td width="50%" align="left"><font size="2">&nbsp;&nbsp;<?php echo date(_DATE_FORMAT); ?></font></td> 
    <td width="50%"><?php echo _WELCOME?>, <?php echo $tfname. " " .$tlname; ?></td> 
    </tr> 
</table> 
</div> 
<div id="Content"> 
    <?php 
    if($action=="update"){ 
    ?> 
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_SUCCESSFUL?></h1> 
    <?php 
    }else{ 
    ?> 
    <h1><?php echo _TEACHER_CHANGE_PASSWORD_TITLE?></h1> 
    <br> 
    <form name="changepass" method="POST" action="teacher_change_password.php"> 
    <input type="text" size="20" name="password" value="<?php echo $tpass; ?>" onchange="this.value=this.value.toLowerCase();"> 
    <br> 
    <input type="hidden" name="action" value="update"> 
    <a class="aform" href="javascript: submitform('password')"><?php echo _TEACHER_CHANGE_PASSWORD_UPDATE?></a>     
    </form> 
    <?php 
    }; 
    ?> 
</div> 
<?php include "teacher_menu.inc.php"; ?> 
</body> 

</html> 
+0

您應該對'md5'的結果調用'tosql',而不是參數。 – Barmar

回答

0

首先頁面代碼,它會出現$ DB沒有設置,另外,我敢肯定, 行:

$sSQL="UPDATE web_users SET web_users_password='". $tpass ."' WHERE web_users_id='". $user_id ."'"; 

是容易受到SQL注入,在$ user_ID的

+0

數據庫詳細信息從configuration.php中調用 您可以提供有關該行的更好的安全代碼: $ sSQL =「更新web_users SET web_users_password ='」。 $ tpass。「'WHERE web_users_id ='」。 $ user_id。「'」; – sunil

+0

看看這個答案:http://stackoverflow.com/a/60496/1742813 –

0

我強烈建議閱讀Safe Password Hashing

不要使用MD5,它不是安全的而且,PHP提供了更好的方法來實現它。