...

View Full Version : Replacing a password in a db.



LearningCoder
07-16-2012, 10:32 AM
Hello

I have a 'reset pass' ability on my website. I wanted to know how to replace an existing password with a newly entered one, by that user?

Kind regards,

LC.

Arcticwarrio
07-16-2012, 10:54 AM
Is the password stored as plain text or hashed?

can you post the code from the page for creating a new user?

LearningCoder
07-16-2012, 11:09 AM
The password is hashed before being inserted to the database.

I have got the registration form done fine. It works as intended. When the user loses/forgets their password, I have a forgotten pass page where they enter their email address. I send them an email with a link inside which I pass the username and id through the url and use the $_GET global to retrieve them on that page. From there, I select the existing password from the database depending on the id being matched but I don't know how to replace the password with the new password.

This is the code from recoverpass.php (which is the action file of the form to enter your email to change pass):


<?php
session_start();
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="styles/email.css" />
</head>
</html>
<?php
//ACTION SCRIPT

/*FUNCTION TO GENERATE A NEW PASSWORD FOR THE USER. RETURNS A NEW PASSWORD TO THE CALLING CODE*/
function get_new_pass(){
$chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$size = strlen($chars);
$length = 8;

for($i = 0;$i < $length;$i++){
$new_pass .= $chars[rand(0, $size-1)];
}
return $new_pass;
}


/*FUNCTION TO SANITIZE USER INPUT. RETURNS USER INPUT STRIPPED OF ANY SPECIAL CHARACTERS*/
function check_input($data) {

$con = mysql_connect("localhost", "root", "");
if(!$con){
$_SESSION['connection_error'] = "Connection error directly in action script.";
header("Location: index.php");
}
$illegalChars = array('!','@','#','$','%','^','&','*','(',')','+','=','-','[',']','.',';',',','/','{','}','|','"',':','<','>','?','~','');
$data = str_replace($illegalChars,'',$data);
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data, ENT_QUOTES);
$data = mysql_real_escape_string($data,$con);
return $data;
}

$email = $_POST['email'];

if(!isset($email)){
$_SESSION['no_email'] = "Please fill in the form.";
header("Location: password_recovery.php");
}
else{

if(!filter_var($email, FILTER_VALIDATE_EMAIL)){//IF IT IS NOT A VALID EMAIL...
$_SESSION["email"] = "Email is not valid";//CREATE SESSION TO USE IN index.php AS ERROR MESSAGE.
header("Location: index.php");//LOCATE USER TO index.php
}
else{

require("connectdb.php");//CONNECT TO DATABASE AND SELECT DATABASE.
$sql = mysql_query("SELECT * FROM members WHERE email='{$email}'");//SELECT EVERYTHING FROM MEMBERS TABLE ONLY WHERE email TABLE FIELD MATCHES THE USER INPUT EMAIL.
$count = mysql_num_rows($sql);//COUNT HOW MANY ROWS WERE MATCHED.

if($count == 1){//IF EMAILS WERE MATCHED...

$row = mysql_fetch_array($sql);
$id = intval($row['id']);
$get_user = $row['username'];//RETRIEVE USERNAME FROM DATABASE.

if($id && $get_user){
$to = $email;//STORED EMAIL IN VARIABLE
$sub = "Deus Ex Demo Upload/Download - Password Recovery";//EMAIL SUBJECT FIELD.
$body = "<p class='lucida'>Hello, {$get_user}<br /><br />";//EMAIL BODY CONTENT.
$body .= "You have received this email because you have lost/forgotten your password.<br />";
$body .= "Please visit the link below to reset your password.";
$body .= "<a href='reset_pass.php?id=".urlencode($id)."&user=".urlencode($get_user)."'>Reset Your Password</a>";
$body .= "Kind Regards,<br />";
$body .= "<span class='blue'>Labtec</span></p><br />";
$headers = "From: labtec@dxdu.com\r\n" . "X-Mailer: php";
$headers .= "Reply-To: labtec@dxdu.com\r\n";
$headers .= "Return-Path: labtec@dxdu.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";

if(mail($to, $sub, $body, $headers)){
$_SESSION['pass_sent'] = "Password Recovery Successful. You will shorty receive an email confirming your password.";
//header("Location: index.php");
}
else{
$_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
Sorry for any inconvenience.";
//header("Location: password_recovery.php");
}
}
else{
$_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
Sorry for any inconvenience.";
//header("Location: password_recovery.php");
}
}
else{//IF NO EMAILS WERE MATCHED IN THE TABLE
$_SESSION['invalidemail'] = "Invalid Email Address";//CREATE SESSION TO USE IN pass_rec.php
//header("Location: password_recovery.php");//LOCATE USER TO pass_rec.php
}
}
}
?>


This is reset_pass.php, (which is also used as the action file for the form):


<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Deus Ex Demo Reset Password</title>
<link rel="stylesheet" type="text/css" href="styles/main.css" />
</head>
<body>
<div id="container">
<a href="membersarea.php">
<img src="images/mainbanner_v3.png" alt="DXDU Logo" id="logo" title="Deus Ex Demo Uploader Logo" border="0" />
</a>

<div id="passResetDiv">
<p class="lucida" id="new_pass_p">Please enter your new password into the field below.</p>

<form id="reset_pass_form" method="POST" action="reset_pass.php">
<p><label for="newpass" id="passLabel">Enter Password:</label><input type="text" name="newpass" id="newpass" size="30" maxlength="10" /></p>
<p><label for="submit"></label><input type="button" name="submit" value="Proceed" /></p>
</form>
<?php

function check_input($data) {
$con = mysql_connect("localhost", "root", "");
if(!$con){
$_SESSION['connection_error'] = "Connection error directly in action script.";
header("Location: index.php");
}

$illegalChars = array('!','@','#','$','%','^','&','*','(',')','+','=','-','[',']','.',';',',','/','{','}','|','"',':','<','>','?','~','');
$data = str_replace($illegalChars,'',$data);
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data, ENT_QUOTES);
$data = mysql_real_escape_string($data,$con);
return $data;
}

$pass = check_input($_POST['newpass']);

if(isset($pass)){
$id = $_GET['id'];
$user = $_GET['user'];

require("connectdb.php");
$sql = mysql_query("SELECT password FROM members WHERE id='{$id}'");
if(!$sql){
$_SESSION['select_query'] = "Query Failed.";
header("Location: reset_pass.php");
}
else{
$qry = mysql_query("INSERT $pass INTO members");
}


}
else{
$_SESSION['enter_value'] = "Please enter an email address into the field before proceeding.";
header("Location: reset_pass.php");
}

?>
</div>





<!--FOOTER CONTENT-->
<div id="footerDiv">
<img src="images/hkbanner.jpg" alt="HunterKillerz Clan Logo" title="HunterKillerz Clan Logo" id="hk" border="0" />
<div id="hkDiv">
<a href="http://z3.invisionfree.com/HunterKillerz/index.php?act=idx" id="clanLink" target="_blank">[HK]Hunter Killers Forum</a><br />
<p id="visit">Please visit [HK]'s Official Clan Forums.</p>
<p id="designer">Site designed by <span id="labtec">[HK]Labtec</span></p>
</div>
<p class="footP">Please visit the links to the right as they are all Deus Ex related with some good resources to help get you setup.
Feel free to email me and suggest any links to be added to the footer.</p>
<a href="http://www.dxalpha.com/" target="_blank">
<img src="images/alphalogo.gif" alt="Alpha Logo" title="Alpha Logo" class="alpha" border="0" />
</a>
<a href="http://kentie.net/" target="_blank">
<img src="images/kentie.jpg" alt="Kentie Logo" title="Kentie Logo" class="kentie" border=" 0" />
</a>
<a href="http://thc.b1.jcink.com/index.php" target="_blank">
<img src="images/thclogo.jpg" alt="THC Clan Logo" title="THC Clan Logo" class="thc" border="0" />
</a>
</div>
</div>
</body>
</html>


My issue is located in the first else statement after the first query, i'm not sure how to replace that existing password. Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first?

Any help is greatly appreciated.

Regards,

LC.

sunfighter
07-16-2012, 02:54 PM
After you make sure you have the correct person and have in coded the new_pass, you do an UPDATE not an INSERT:
$query = "UPDATE members SET pass = '$new_pass' where WHERE email='{$email}'";

----------------------------------


Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first? No need to get pass if it was forgotten,. If the pass word is being changed you should get the old pass as an added check that you have the right person.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum