...

View Full Version : Password recovery



Jon W
01-08-2008, 10:41 AM
Ok so I'm wondering, how would I set up a script to make a password recovery. I understand how to check if there is a email address that a person has submit into in the database, but how would I get the username and password so I could send it in a email. This is what I have so far:






<?php
require_once("mydb.php");

if(isset($_POST['submit']))

{


$query = mysql_query("SELECT email FROM register WHERE email='{$_POST['email']}'") or die('Database error: ' .mysql_error());


$check = mysql_num_rows($query);

if($check > 0)

{





So pretty much I get to the if statement that checks and sees if the there is a email address that the user has typed in, and then I get stuck. I know I need to use a mysql_query to get User Name and Password, but I don't know how I can select the User Name and Password for that account. If someone could guide me through this, it would be great.

Thanks in advance,
Jon W

Jon W
01-08-2008, 11:26 AM
This is what I came up so far:




<?php

require_once("mydb.php");

if(isset($_POST['submit']))

{
$query = mysql_query("SELECT email FROM register WHERE email='{$_POST['email']}'") or die('Database error: ' .mysql_error());


$check = mysql_num_rows($query);

if($check > 0)

{

$rows = mysql_fetch_assoc($query);

while($rows = mysql_fetch_array($check))

{

$header = 'From: TopGameHQ' . "\r\n";
$subject = 'Password Recovery';
$message = "Hello, this is your User Name and password that you requested.\r\n\r\n".$rows['username']."\r\n".$rows['password']."";
mail($_POST['email'], $subject, $message, $header);

}
}

else

{

echo 'That email address is invalid.';

}

}


?>



But this doesn't work. So I'm guessing I'm doing something wrong. Help would be nice. :)

Thanks
Jon W

StupidRalph
01-08-2008, 11:47 AM
How are your tables set up? Are the email addresses in a separate table from the username and password?

Jon W
01-08-2008, 11:53 AM
Nope. They are all in the same table.

CREATE TABLE `register` (
`id` int(11) NOT NULL auto_increment,
`ip` varchar(20) NOT NULL default '',
`username` varchar(255) NOT NULL default '',
`password` varchar(255) NOT NULL default '',
`email` varchar(255) NOT NULL default '',
`firstname` varchar(255) default '',
`lastname` varchar(255) default '',
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=26 DEFAULT CHARSET=latin1;

~Jon W~

StupidRalph
01-08-2008, 12:04 PM
$query = mysql_query("SELECT username,password,email FROM register WHERE email='{$_POST['email']}'") or die('Database error: ' .mysql_error());

Then why not just select the "username" and "password" instead of the email? You don't actually need to select the email address at all.

You're also prone to SQL-injection if you're not sanitizing user input. ($_POST['email'])

And do you plan to send out more than ONE email at a time? I see you're using a while loop.

while($rows = mysql_fetch_array($check)) //you sure you don't mean $query?

Jon W
01-08-2008, 12:21 PM
Nope. I just didn't know any other way to use mysql_fetch_array. I'm new at programing PHP so, I just thought using a while($rows = mysql_fetch_array($query)) was the only way to echo it out. So by looking at your post I've came down and figure out this so far.




<?php

include("db.php");

if(isset($_POST['submit']))

{
$query = mysql_query("SELECT firstname, lastname, email FROM register WHERE email='".mysql_real_escape_string($_POST['email'])."'") or die('Database error: ' .mysql_error());


$check = mysql_num_rows($query);

if($check > 0)

{

$header = 'From: TopGameHQ' . "\r\n";
$subject = 'Password Recovery';
$message = "Dear ".$query['username'].",\r\n\r\n This is your User Name and password that you requested.\r\n\r\n".$query['username']."\r\n".$query['password']."";
mail($_POST['email'], $subject, $message, $header);

}

else

{

$msg = 'This is a invalid Email. Please check your spelling and try again.';

}
}


?>



Now my only problem is that its not getting the Username and Password and sending it in the email. What do you suggest?

StupidRalph
01-08-2008, 12:36 PM
Nope. I just didn't know any other way to use mysql_fetch_array. I'm new at programing PHP so, I just thought using a while($rows = mysql_fetch_array($query)) was the only way to echo it out. So by looking at your post I've came down and figure out this so far.




<?php

include("db.php");

if(isset($_POST['submit']))

{
$query = mysql_query("SELECT firstname, lastname, email FROM register WHERE email='".mysql_real_escape_string($_POST['email'])."'") or die('Database error: ' .mysql_error());


$check = mysql_num_rows($query);

if($check > 0)

{

$header = 'From: TopGameHQ' . "\r\n";
$subject = 'Password Recovery';
$message = "Dear ".$query['username'].",\r\n\r\n This is your User Name and password that you requested.\r\n\r\n".$query['username']."\r\n".$query['password']."";
mail($_POST['email'], $subject, $message, $header);

}

else

{

$msg = 'This is a invalid Email. Please check your spelling and try again.';

}
}


?>



Now my only problem is that its not getting the Username and Password and sending it in the email. What do you suggest?

You just have to add it to your SELECT query to also "select" the username and password.



SELECT `this_field`, `that_field`,`another_field` WHERE `this_field` = 'some criteria'; // you need to select whatever fields you're going to end up using later on in your code...


You should also look into mysql_result() (http://www.php.net/mysql_result). For an alternate way to display results.

list($firstname, $lastname,$email) = mysql_fetch_row($query); //combining list() and mysql_fetch_row() is a quick way to store your database values into variables

aedrin
01-08-2008, 04:27 PM
but how would I get the username and password so I could send it in a email.

You should not even be able to get the password from the database. If you're storing it as cleartext you're not being secure.

Store them as hashes (sha, etc.) and when a user forgot their password, create a new one.

Sending their current password (if you are able to) is bad because if someone got access to their email, they could get passwords that work with other systems (users tend to use the same password).

Jon W
01-08-2008, 09:25 PM
So should it more be like it sends a email to their inbox and then if they verify their email address allow them to change their password? If thats the case, how would I make a link that would verify their email?

fl00d
01-08-2008, 10:29 PM
Have a key code randomly generated and store it in the database and then use it in the link.
ex:

To confirm your email, please go here: www.example.com/confirm.php?key=8dfh65347hgs34

Confirm.php would take the key from the URL and compare it to the database, and if its found, perform the appropriate action.

Jon W
01-09-2008, 02:48 AM
How would I go about am making a random key code, and how would the users get it?

fl00d
01-09-2008, 05:37 AM
Well I use rand() to generate a random number and then I hash it using MD5(). Perhaps not the best method but it works.
ex:

$key = md5(rand());

As for the users getting it, earlier you mentioned selecting their email and emailing them the info. Instead of their info, send the link.
ex:


$email = $_POST['email];
//check to see if email exists
//sql / query...
if($email exists...){
$confirmUrl = "http://www.site.com/confirm.php?key".$key;
$message = "To reset your password, click the following link: ".$confirmUrl;
//now mail it all
mail($email,"Password Recovery",$message);
}
//else give error...


Hope this helps. This may be a bit unclear as I'm posting this from my Wii. (labor intensive :p)

PappaJohn
01-09-2008, 09:14 AM
uniqid() (http://us.php.net/manual/en/function.uniqid.php).

A suggested token from the manual:




<?php
// no prefix
$token = md5(uniqid());

// better, difficult to guess
$better_token = md5(uniqid(rand(), true));
?>

JohnDubya
01-25-2008, 12:57 AM
I just found this code from another post on this forum, and I've started using it for my web app. I took out the lowercase L, the uppercase I, and the uppercase O, to reduce confusion. Hope it helps you too!


function RandomString() {
$pass = '';
$chars = array(
'1','2','3','4','5','6','7','8','9','0',
'a','A','b','B','c','C','d','D','e','E','f','F','g','G','h','H','i','j','J',
'k','K','L','m','M','n','N','o','p','P','q','Q','r','R','s','S','t','T',
'u','U','v','V','w','W','x','X','y','Y','z','Z');

$count = count($chars) - 1;

$microtime = microtime()*1000000;
settype($microtime, 'float');
srand($microtime);

for($i = 0; $i < 8; $i++) {
$pass .= $chars[rand(0, $count)];
}

return($pass);
}

PappaJohn
01-25-2008, 03:35 AM
A somewhat longer variation of JohnDubya's. This allows you to specify a random password length (between min/max constraints), minimum count of numeric characters, alphabetic characters, and optionally special chars.



<?php
function genPassword($min_len = 7, $max_len = 7, $min_numeric = 2, $min_alpha = 2, $min_special = 0, $allow_special = false)
{
// init
$numeric = array('1','2','3','4','5','6','7','8','9');
$alphabetic = array('a','A','b','B','c','C','d','D','e','E','f','F','g','G','h','H','i','j','J',
'k','K','L','m','M','n','N','o','p','P','q','Q','r','R','s','S','t','T',
'u','U','v','V','w','W','x','X','y','Y','z','Z');
$special = array('!', '@', '#', '$', '%', '=');
$password = array();
$char_count = 0;


// get required numerics
if ($min_numeric > 0)
{
for($i = 1; $i <= $min_numeric; $i++)
{
$password[] = $numeric[rand(0, count($numeric) - 1)];
$char_count++;
}
}


// get required alphabetics
if ($min_alpha > 0)
{
for($i = 1; $i <= $min_alpha; $i++)
{
$password[] = $alphabetic[rand(0, count($alphabetic) - 1)];
$char_count++;
}
}


// get required specials
if ($min_special > 0)
{
for($i = 1; $i <= $min_special; $i++)
{
$password[] = $special[rand(0, count($special) - 1)];
$char_count++;
}
}


// merge arrays
$chars = array_merge($numeric, $alphabetic);
if ($allow_special) $chars = array_merge($chars, $special);


// determine password length
if (($min_numeric + $min_alpha + $min_special) > $max_len)
{
$pwd_len = $min_numeric + $min_alpha + $min_special;
}
if ($min_len == $max_len)
{
$pwd_len = $min_len;
}
else
{
$pwd_len = rand($min_len, $max_len);
}


// get remaining characters
if ($pwd_len > $char_count)
{
for($i = $char_count + 1; $i <= $pwd_len; $i++)
{
$password[] = $chars[rand(0, count($chars) - 1)];
}
}


// shuffle password array
shuffle($password);

// done
return implode('', $password);
}
?>

To specify a particular password length (ie: 7 chars) set $min_len & $max_len = to 7.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum