I've created a code to change a password. Now it seem contain an error. When I fill in the form to change password, and click save the error message:
You forgot enter your userid!
Please try again.
I really don’t know what the error message means. Please guys. Help me fix it.
Here's is the code:
<?php # change password.php
//set the page title and include the html header.
$page_title = 'Change Your Password';
//include('templates/header.inc');
if(isset($_POST['submit'])){//handle the form
require_once('connectioncomplaint.php');//connect to the db.
//include "connectioncomplaint.php";
//create a function for escaping the data.
function escape_data($data){
global $dbc;//need the connection.
if(ini_get('magic_quotes_gpc')){
$data=stripslashes($data);
}
return mysql_real_escape_string($data);
}//end function
$message=NULL;//create the empty new variable.
//check for a username
if(empty($_POST['userid'])){
$u=FALSE;
$message .='<p> You forgot enter your userid!</p>';
}else{
$u=escape_data($_POST['userid']);
}
//check for existing password
if(empty($_POST['password'])){
$p=FALSE;
$message .='<p>You forgot to enter your existing password!</p>';
}else{
开发者_开发百科 $p=escape_data($_POST['password']);
}
//check for a password and match againts the comfirmed password.
if(empty($_POST['password1'])) {
$np=FALSE;
$message .='<p> you forgot to enter your new password!</p>';
}else{
if($_POST['password1'] == $_POST['password2']){
$np=escape_data($_POST['password1']);
}else{
$np=FALSE;
$message .='<p> your new password did not match the confirmed new password!</p>';
}
}
if($u && $p && $np){//if everything's ok.
$query="SELECT userid FROM access WHERE (userid='$u' AND password=PASSWORD('$p'))";
$result=@mysql_query($query);
$num=mysql_num_rows($result);
if($num == 1){
$row=mysql_fetch_array($result, MYSQL_NUM);
//make the query
$query="UPDATE access SET password=PASSWORD('$np') WHERE userid=$row[0]";
$result=@mysql_query($query);//run the query.
if(mysql_affected_rows() == 1) {//if it run ok.
//send an email,if desired.
echo '<p><b>your password has been changed.</b></p>';
//include('templates/footer.inc');//include the HTML footer.
exit();//quit the script.
}else{//if it did not run OK.
$message= '<p>Your password could not be change due to a system error.We apolpgize for any inconvenience.</p><p>' .mysql_error() .'</p>';
}
}else{
$message= '<p> Your username and password do not match our records.</p>';
}
mysql_close();//close the database connection.
}else{
$message .='<p>Please try again.</p>';
}
}//end of the submit conditional.
//print the error message if there is one.
if(isset($message)){
echo'<font color="red">' , $message, '</font>';
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Please don't store the actual password in the database. Create a hash of the password and store it. When a user logs in, hash the incoming password and check if it matches the hashed password for the user. See http://phpsec.org/articles/2005/password-hashing.html for more info.
Also, it would be more secure to store the userid in the session and retrieve it from there rather than getting it from the form. Even if the input is hidden on the page there are any number of ways that it could be substituted. It leaves you with a small hole in the application where, if one user knows another user's id and password, they can change it in an undetectable fashion. That is, the password could be changed despite the fact that you have no record of that user having logged in. Even when getting the user id from the form (or the url), always check that the data they are operating on is their own, not someone else's unless, of course, they are a user with sufficient privileges.
It means that you didn't send along userid
with your POST
parameters. Presumably, your form didn't include an element with name userid
. The error comes from this line:
if(empty($_POST['userid'])){
That error is displayed because of this test :
if(empty($_POST['userid'])){
$u=FALSE;
$message .='<p> You forgot enter your userid!</p>';
}
Which means the server doesn't receive a userid
field from the form.
I'm guessing you should make sure there is such a field in your form -- and it'll have to contain the userid
of the user for which you want to change the password.
Considering you probably don't want that field to be displayed, though, you'll use a hidden
input :
<input type="hidden" name="userid"
value="<?php echo htmlspecialchars(HERE THE USERID); ?>" />
According to your code it means that the userid
POST variable was empty. Verify the name of the field you use for it.
精彩评论