Php forgot password script [Closed]

Report
Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016
-
dm corporation
Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016
-
hello Everyone, my name is Marc Donald and I have a little problem with my forgot php script. In fact , I got the new random password in my mail but when I'm trying to login with that new password it does not work I don't know. I hope that I will found solution. Thanks
below is my code :
<?php include 'includes/header.php'; ?>
<?php
define('IN_SCRIPT', true);
// Start a session
//session_start();
include '../includes/settings.php';
if(isset($_SESSION['username']) == true )
{

header('location: index.php');
exit;
}



//Connect to the MySQL Database
include 'includes/settings.php';

//this function will display error messages in alert boxes, used for login forms so if a field is invalid it will still keep the info
//use error('foobar');
function error($msg) {


}

//This functions checks and makes sure the email address that is being added to database is valid in format.
function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i',$email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i', $local_array[$i])) {
return false;
}
}
if(preg_match('#^(([a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+\.?)*[a-z0-9!\#$%&\\\'*+/=?^_'{|}~-]+)@(([a-z0-9-_]+\.?)*[a-z0-9-_]+)\.[a-z]{2,}$#i', $email_array[0])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!preg_match("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}


if (isset($_POST['submit'])) {


if ($_POST['forgotpassword']=='') {
error('Please Fill in Email.');
}
if(get_magic_quotes_gpc()) {
$forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword']));
}
else {
$forgotpassword = htmlspecialchars($_POST['forgotpassword']);
}
//Make sure it's a valid email address, last thing we want is some sort of exploit!
if (!check_email_address($_POST['forgotpassword'])) {
error('Email Not Valid - Must be in format of name@domain.tld');
}
// Lets see if the email exists
$sql = "SELECT COUNT(*) FROM users WHERE email = '$forgotpassword'";
$result = mysql_query($sql)or die('Could not find member: ' . mysql_error());
if (!mysql_result($result,0,0)>0) {
error('Email Not Found!');
}

//Generate a RANDOM MD5 Hash for a password
$random_password=md5(uniqid(rand()));

//Take the first 8 digits and use them as the password we intend to email the user
$emailpassword=substr($random_password, 0, 8);

//Encrypt $emailpassword in MD5 format for the database
$newpassword = md5($emailpassword);

// Make a safe query
$query = sprintf("UPDATE 'users' SET 'password' = '%s'
WHERE 'email' = '$forgotpassword'",
mysql_real_escape_string($newpassword));

mysql_query($query)or die('Could not update users: ' . mysql_error());

//Email out the infromation
$subject = "Your New Password";
$message = "Your new password is as follows:
----------------------------
Password: $emailpassword
----------------------------
Please make note this information has been encrypted into our database

This email was automatically generated.";
$site_name = 'xxx';
$site_email = 'xxx';
if(!mail($forgotpassword, $subject, $message, "FROM: $site_name <$site_email>")){
die ("Sending Email Failed, Please Contact Site Admin! ($site_email)");
}else{
error('New Password Sent!.');
}

}


else {
echo'<br /><br /><br /><br />';

echo' <form name="forgotpasswordform" class="" action="" method="post">
<div>Please enter your email address to get a new password</div><br />
<tr>
<td>Email Address:</td>
<td><input name="forgotpassword" required="required" type="text" value="" id="forgotpassword" /></td>
</tr>
<tr>
<td colspan="2" class="footer"><input type="submit" name="submit" value="Submit" class="mainoption" /></td>
</tr>
</table>
</form></div>';

}
?>
<?php include 'includes/footer.php' ?>

<?php ob_end_flush(); ?>
Posts
13031
Registration date
Monday June 3, 2013
Status
Moderator
Last seen
October 11, 2019
1573
WOW, what a question.....Is this production, or beta?

If production, Who else is having this problem?

So, let me see, you have access to the script, but you are not certain where the script connects?

"$query = sprintf("UPDATE 'users' SET 'password' = '%s'
WHERE 'email' = '$forgotpassword'",
mysql_real_escape_string($newpassword));
"

So, where does the USERS table reside? Either you are failing to connect, or you are failing to update the USERS table with the newly created password in the variable - $strforgotpassword.

So, I would troubleshoot by gaining access to the DB and seeing the index of USERS!

IS your DB being connected to? I notice in your code that you check for all sort of server side stuff, but not if the DB makes a valid connection. Maybe you might want to give feedback if DB is not connected to.

Also, the browser may be injecting ascii codes for characters, therfore never finding a match. Also, I would suggest not making changes based on the email, but get the user ID from the email, and change the QUERY based on the ID, and not the email. Just an idea.



Check the DB is ONline.


//ark
-Moderator/Contributor
Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016

Hello , Thank you ac3mark for your reply, I am not sure that I am failing to update because I saw that the password change in the DB. I would like follow your idea about get the user ID from the email but I don't know how to do it you know I am a big beginner in PHP. Thanks again
Posts
13031
Registration date
Monday June 3, 2013
Status
Moderator
Last seen
October 11, 2019
1573
No problem..before you try to update the password, get the id with a Query that says something like "SELECT [ID] FROM tblUSERS WHERE EMAIL = $somestring".

Store the return value in a variable called intID (int - integer so that your code will be uniform).

The record would look like:
ID-------user-------email
845------Mark------mark@someemailaddress.com

So your query would return 845.

Now use your update to update the record with ID, and not the email:
UPDATE USERS SET PASSWORD = '$somerandom' WHERE ID=$intID.

Helpful note......

Do not store your password in the same table as your users. Make a seperate table that links ID with passwords, adn any other data you wish to store regarding password (last time loggged in, changed, ip of change....ie).

Second note....I really hope you are not storing your password in the table as plain language. So if I were to gain access to the DB, I would be able to see that User ID of 849 has a password of "PASSWORDXYZ". You should use a HASH - One way crypto-so you run the PASSWORDXYZ through YOUR HASH.PHP and HASH.PHP turns that plain word into another encrypted word , (IE. #JIFDJS&SKSHUUHHHHGG&HHSBBUH*UHHHKAJS).

Now, when you get a password, see if the two HASH.PHP returns match, if they do, then the password is the same, and access is gained.

I have a VERY SIMPLE HASH in ASP, if you wish to use as a template. I will share with you if you understand the techniques that I am describing to you.

Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016

Firstly Thanks for everything that you are doing for me, may God bless you. I will start with your indication and try it . Regarding to the password in DB I hashed by using sha1. Thanks you again . Please check your inbox I sent you a private message. thanks alot.
Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016

I tried what you shown me but still the same problem . My last request is can you please code one forgot password script for me ?
Posts
13031
Registration date
Monday June 3, 2013
Status
Moderator
Last seen
October 11, 2019
1573
Ok.... well one last question that was never answered; Is this production and broke, or beta and for a grade? If it is for your job and a production site is broke, I am concerned.

Let me know what situation it is?

I am going to tell you up front, I will not do homework....


You have to have echo statment and debuggin steps to break down each and every step in your code. Turn on a switch in your code that says "if I am in debugging, then display every ACK!"



Have fun....
Posts
329
Registration date
Monday December 15, 2008
Status
Member
Last seen
January 15, 2016

that's not a homework . Also they don't teach PHP in my School . it's for an attachement. Thanks I will do your last option to see what will happen