php检查当前密码错误

Question

由于某种原因，此代码未使用数据库检查当前密码，但它确实正确更改了密码。它还能够连接到我的数据库。它还可以检查新密码是否与确认新密码相同。这是正在运行的 php，这可能有什么问题：

<?php if(!defined('INCLUDE_CHECK')) header("Location: index.php"); ?>

<?php

/* irrelevant parts omitted */

if($_POST['submit']=='Change Password')
{
    // Checking whether the Change Password form has been submitted

    $err = array();
    // Will hold our errors


    if(!$_POST['password'] || !$_POST['newpassword'] || !$_POST['confirmpassword'])
        $err[] = 'All the fields must be filled in!';

    if(!count($err))
    {

        if($_POST['password'] != /* something should be here but i don't know what */)
            $err[] = 'Current password is incorrect!';

        if($_POST['newpassword'] != $_POST['confirmpassword'])
            $err[] = 'New passwords do not match!';

        if(!count($err))
        {           

            $pass = $_POST['confirmpassword'];

            mysql_query(
                            "UPDATE members 
                            SET pass='".md5($pass)."' 
                            WHERE id='{$_SESSION['id']}'"
                        );

            $_SESSION['msg']['change-password-success']='Success your password has been changed!';

        }       
    }

    if($err)
    $_SESSION['msg']['change-password-err'] = implode('<br />',$err);
    // Save the error messages in the session

    header("Location: change-password.php");
    exit;
}
?>

Answer 1

由于某种原因，这段代码没有检查数据库的当前密码，但它确实正确地更改了密码。

...这实际上是您的代码吗？还是您的问题措辞不当？

if($_POST['password'] != /* something should be here but i don't know what */)

因为不检查密码是有原因的...

还有：

它还可以连接到我的数据库并检查新密码是否与确认新密码相同。

不，它不是——它只是根据用户键入的其他字段检查密码——它没有对数据库进行任何检查：

if($_POST['newpassword'] != $_POST['confirmpassword'])
        $err[] = 'New passwords do not match!';

Answer 2

据我所知，您的脚本中没有任何地方可以调用数据库来检查现有记录...

$query = mysql_query("SELECT * FROM members WHERE id='{$_SESSION['id']}'");
$data = mysql_fetch_assoc($query);
if($data['pass'] == md5($_POST['confirmpassword'])){
echo "Old and new password matches";
}