我已经托管了一个bux网站CrimsonBux.Com。脚本一切都很棒。密码恢复页http://crimsonbux.com/login.php?option=forgot只有一个问题。在页面上输入电子邮件地址和CAPTCHA后,用户将被重定向到此页面http://crimsonbux.com/recover.php。在recover.php页面中,用户面临错误。错误列在下面。
Warning: mysql_query() [function.mysql-query]: Access denied for user 'crimst1d'@'localhost' (using password: NO) in /home/crimst1d/public_html/recover.php on line 19
Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/crimst1d/public_html/recover.php on line 19
这里我的网站无法连接到MySQL数据库。怎么连接?
这是我对recover.php页面的配置。
<?
/**********************************************************************************************************************************************
ScriptBux Version 2.50 beta
This Script has been created and coded by Gabrola and edited by hassan ahmady.
If you find any bugs in the script report at support@thealternatif.info or contact hassan ahmady.
Copywrite ScriptBux 2008;
Please make donations if you use this sript for commercial use
to My paypal account "bisnis-usd@plasa.com"
************************************************************************************************************************************************/
?>
<h3>Forgot Password</h3>
<?php
if($_POST)
{
$code = $_POST["code"];
$email = $_POST["email"];
$emailx = mysql_query("SELECT COUNT(*) AS cnt FROM tb_users WHERE email='{$_POST['email']}'");
$emailx = mysql_fetch_array($emailx);
$emailx = $emailx["cnt"];
$errormsg = false;
if($_SESSION['string'] != $code)
{
$error = 1;
$errormsg .= "<b>Error -</b> The captcha was entered incorrectly.<br />";
}
if(!$code)
{
$error = 1;
$errormsg .= "<b>Error -</b> The captcha was entered incorrectly.<br />";
}
if(!$email)
{
$error = 1;
$errormsg .= "<b>Error -</b> The email was not supplied.<br />";
}
if(!$emailx)
{
$error = 1;
$errormsg .= "<b>Error -</b> No account was found with that email address.<br />";
}
if($_SESSION['next_reseptsend'] != 0)
{
$error = 1;
$errormsg .= "<b>Error -</b> You have already made a password retrieval within the last 15 minutes.<br />";
}
$_SESSION['string'] = false;
if($error)
{
print $errormsg."<br><br>";
} else {
$s = mysql_query("SELECT * FROM tb_users WHERE email='{$_POST['email']}'");
$x = mysql_fetch_array($s);
$_SESSION['next_reseptsend'] = 1;
$message = "Hello {$x['username']},
You requested to resend your account password a while ago.
Account Username: {$x['username']}
Account Password: {$x['password']}
We hope you can have a good time earning your money again,
Thanks,
{$config['site_name']}";
mail($x["email"],"Password Retrieval - ".$config["site_name"],$message,"From: mail@".$_SERVER['HTTP_HOST']);
print "<b>Password Sent!</b><br />
We have dispatched your password to your email address.<br />
You can only make another account retrieval again in 15 minutes.<br />";
}
}
?>
<div style="padding-left:25px;">
<form action="recover.php" method="post" name="resend">
<table>
<tr><td class="midtext">Your Email:</td><td><input type="text" name="email" size="25" class="form" autocomplete="off" value="<?=$_POST['email']?>"></td></tr>
<tr><td class="midtext" valign="top">Security Code:</td><td class="midtext"><img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();"><br /><span style="font-size:10px;">(Click to reload)</span><br /><input type="text" name="code" size="17" maxlength="" autocomplete="off" class="form"></td></tr>
<tr><td></td><td align="right"><input type="submit" value="Login" name="loginsubmit" class="inputbox"></td></tr>
</table>
</form>
</div>
<?php
?>
答案 0 :(得分:1)
您需要将用户添加到您的数据库以及脚本可以通过mysql_connect和mysql_select_db连接到的数据库。
放在脚本的顶部:
mysql_connect('localhost', 'username', 'password');
mysql_select_db('database name');
答案 1 :(得分:0)
以下是解决安全漏洞的方法。改变这个:
$emailx = mysql_query("SELECT COUNT(*) AS cnt FROM tb_users WHERE email='{$_POST['email']}'");
到此:
$emailUntainted = mysql_real_escape_string($_POST['email']);
$emailx = mysql_query("
SELECT COUNT(*) AS cnt
FROM tb_users
WHERE email='{$emailUntainted}'
");
你有两个要修复;做一些阅读,理解为什么这是必要的:)。
发布脚本:正如@Esailija所说,最好使用PDO和预备语句,但这需要您学习更多知识。快速获取此修复程序,然后在可以的时候切换到PDO。