...

View Full Version : Forgotten Password script - SIMPLE!



bucket
12-05-2009, 10:43 PM
I have coded this up.

Its a simple reset password script, for account management scripts:



<?php
session_start(); // Start Session
session_register("session");
// This is displayed if all the fields are not filled in
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
// Convert to simple variables
$email_address = $_POST['email_address'];
if (!isset($_POST['email_address'])) {
?>
<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
<label for="email_address">Email:</label>
<input type="text" title="Please enter your email address" name="email_address" size="30"/>
<input type="submit" value="Submit" class="submit-button"/>
</form>

<?php
}
elseif (empty($email_address)) {
echo $empty_fields_message;
}
else {


mysql_connect("localhost", "DB_USER", "DB_PASSWORD") or die(mysql_error());
mysql_select_db("DB_NAME")
or die(mysql_error());



$email_address = mysql_real_escape_string($email_address);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
if (!stristr($email_address,"@") OR !stristr($email_address,".")) {
$msg="<p>Your email address is not in the correct format.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
$status= "NOTOK";}

echo "";
if($status=="OK"){ $query="SELECT email,username FROM admin WHERE admin.email = '$email_address'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email_address;// email is stored to a variable
if ($recs == 0) {
echo "<p>Sorry your address is not there in our database. Please try again.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
exit;
}
function makeRandomPassword() {
$salt = "abchefghjkmnpqrstuvwxyz0123456789";
srand((double)microtime()*1000000);
$i = 0;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($salt, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$random_password = makeRandomPassword();
$db_password = md5($random_password);

$sql = mysql_query("UPDATE admin SET password='$db_password'
WHERE email='$email_address'");

$subject = "Your New Password";
$message = "Hello, you have chosen to reset your password.

New Password: $random_password

http://www.yoursite.com/login
Once logged in you can change your password

Thanks!
Site admin

This is an automated response, please do not reply!";

mail($email_address, $subject, $message, "From: yoursite.com Webmaster<admin@jyoursite.com>\n
X-Mailer: PHP/" . phpversion());
echo "<p>Your new password has been send! Please check your email!";
}
else {echo "$msg";}
}
?>

If your login doesn't use MD5 passwords then change this line:


$db_password = md5($random_password);
to

$db_password = ($random_password);

Very simple to use. :)

--

If you use this, I would be very pleased if you can click the Thank You button at the bottom right of this post.

Thank You.

PappaJohn
12-05-2009, 11:14 PM
So, any miscreant who happens by can mischievously reset the admins password ... and this deserves 'thanks'?

And, you really shouldn't be coding forms that rely on javascript - not everybody browses with javascript enabled.

bucket
12-05-2009, 11:34 PM
The password would be reset and sent to the administrators email.

So other people will not be able to get it.

There is no java script there, its something simple and not major.

PappaJohn
12-05-2009, 11:56 PM
I didn't say the prankster would be able to get it, but nonetheless the admin's password has been reset. He won't be able to gain access until he reads his mail, and even then, he has to go in and reset his password even though he didn't request the change - causing him wasted, unnecessary effort.

No javascript?

<a class=\"two\" href=\"javascript:history.go(-1)\">here</a>
my bad, I guess.

bucket
12-06-2009, 12:00 AM
Okay, also he doesnt have to reset his password since it was already reset, all he needs to do is check his email for his new password.

Also, what should I add to make it prankster proof?
Should I add a Username textbox?

PappaJohn
12-06-2009, 12:03 AM
Okay, also he doesnt have to reset his password since it was already reset
Correct - to a password not of his choosing.

bucket
12-06-2009, 12:12 AM
Okay,
Also, what should I add to make it prankster proof?
Should I add a Username textbox?

PappaJohn
12-06-2009, 02:48 AM
Requiring a username would add little to no security.

One common method is to record the request, together with a secure, random token. You send an email that contains a link which includes the token. When the user clicks the link, you verify the token, generate the random password and email it to the user. As added security, you can require the user to change the generated password on their first visit.

There are quite a few tutorials on the subject.

seco
12-06-2009, 04:33 AM
I didn't say the prankster would be able to get it, but nonetheless the admin's password has been reset. He won't be able to gain access until he reads his mail, and even then, he has to go in and reset his password even though he didn't request the change - causing him wasted, unnecessary effort.

No javascript?

<a class=\"two\" href=\"javascript:history.go(-1)\">here</a>
my bad, I guess.

thats just a back button..

seco
12-06-2009, 04:34 AM
bucket, just add in a secret question and answer field.

Zangeel
12-06-2009, 09:17 AM
Wow, this is the most blatant plagiarism I've ever seen.

Note this topic:
http://www.codingforums.com/showthread.php?t=183771

Now scroll down:
http://www.codingforums.com/showthread.php?p=896088#post896088

So bucket you ask if the script the the OP made is "fixed" then you ask the most simplest of questions. Are you seriously trying to pass yourself off as a php coder?

Even the most novice php coder would look at this syntax and LAUGH


$db_password = ($random_password);

bucket
12-06-2009, 01:44 PM
Yep, I fixed it and changed a few things.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum