Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    922
    Thanks
    76
    Thanked 29 Times in 29 Posts

    Replacing a password in a db.

    Hello

    I have a 'reset pass' ability on my website. I wanted to know how to replace an existing password with a newly entered one, by that user?

    Kind regards,

    LC.

  • #2
    Regular Coder Arcticwarrio's Avatar
    Join Date
    May 2012
    Location
    UK
    Posts
    721
    Thanks
    20
    Thanked 84 Times in 84 Posts
    Is the password stored as plain text or hashed?

    can you post the code from the page for creating a new user?

  • #3
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    922
    Thanks
    76
    Thanked 29 Times in 29 Posts
    The password is hashed before being inserted to the database.

    I have got the registration form done fine. It works as intended. When the user loses/forgets their password, I have a forgotten pass page where they enter their email address. I send them an email with a link inside which I pass the username and id through the url and use the $_GET global to retrieve them on that page. From there, I select the existing password from the database depending on the id being matched but I don't know how to replace the password with the new password.

    This is the code from recoverpass.php (which is the action file of the form to enter your email to change pass):
    PHP Code:
    <?php
    session_start
    ();
    ?>
    <html>
    <head>
    <link rel="stylesheet" type="text/css" href="styles/email.css" />
    </head>
    </html>
    <?php
    //ACTION SCRIPT

    /*FUNCTION TO GENERATE A NEW PASSWORD FOR THE USER. RETURNS A NEW PASSWORD TO THE CALLING CODE*/
    function get_new_pass(){
        
    $chars "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
        
    $size strlen($chars);
        
    $length 8;
        
        for(
    $i 0;$i $length;$i++){
            
    $new_pass .= $chars[rand(0$size-1)]; 
        }
        return 
    $new_pass;
    }


    /*FUNCTION TO SANITIZE USER INPUT. RETURNS USER INPUT STRIPPED OF ANY SPECIAL CHARACTERS*/
    function check_input($data) {

        
    $con mysql_connect("localhost""root""");
           if(!
    $con){
              
    $_SESSION['connection_error'] = "Connection error directly in action script.";
              
    header("Location: index.php");
              }
        
    $illegalChars = array('!','@','#','$','%','^','&','*','(',')','+','=','-','[',']','.',';',',','/','{','}','|','"',':','<','>','?','~','£'); 
        
    $data str_replace($illegalChars,'',$data);
        
    $data trim($data);
        
    $data stripslashes($data);
        
    $data htmlspecialchars($dataENT_QUOTES);
        
    $data mysql_real_escape_string($data,$con);
        return 
    $data;
    }

    $email $_POST['email'];

    if(!isset(
    $email)){
        
    $_SESSION['no_email'] = "Please fill in the form.";
        
    header("Location: password_recovery.php");
    }
    else{

       if(!
    filter_var($emailFILTER_VALIDATE_EMAIL)){//IF IT IS NOT A VALID EMAIL...
          
    $_SESSION["email"] = "Email is not valid";//CREATE SESSION TO USE IN index.php AS ERROR MESSAGE.
          
    header("Location: index.php");//LOCATE USER TO index.php
       
    }
       else{
       
          require(
    "connectdb.php");//CONNECT TO DATABASE AND SELECT DATABASE.
          
    $sql mysql_query("SELECT * FROM members WHERE email='{$email}'");//SELECT EVERYTHING FROM MEMBERS TABLE ONLY WHERE email TABLE FIELD MATCHES THE USER INPUT EMAIL.
          
    $count mysql_num_rows($sql);//COUNT HOW MANY ROWS WERE MATCHED.
       
          
    if($count == 1){//IF EMAILS WERE MATCHED...
       
             
    $row mysql_fetch_array($sql);   
             
    $id intval($row['id']);
             
    $get_user $row['username'];//RETRIEVE USERNAME FROM DATABASE.
           
              
    if($id && $get_user){
                 
    $to $email;//STORED EMAIL IN VARIABLE
                 
    $sub "Deus Ex Demo Upload/Download - Password Recovery";//EMAIL SUBJECT FIELD.
                 
    $body "<p class='lucida'>Hello, {$get_user}<br /><br />";//EMAIL BODY CONTENT.
                 
    $body .= "You have received this email because you have lost/forgotten your password.<br />";
                 
    $body .= "Please visit the link below to reset your password.";
                 
    $body .= "<a href='reset_pass.php?id=".urlencode($id)."&user=".urlencode($get_user)."'>Reset Your Password</a>";
                 
    $body .= "Kind Regards,<br />";
                 
    $body .= "<span class='blue'>Labtec</span></p><br />";
                 
    $headers "From: labtec@dxdu.com\r\n" "X-Mailer: php";
                 
    $headers .= "Reply-To: labtec@dxdu.com\r\n";
                 
    $headers .= "Return-Path: labtec@dxdu.com\r\n";
                 
    $headers .= "MIME-Version: 1.0\r\n";
                 
    $headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
           
                 if(
    mail($to$sub$body$headers)){
                    
    $_SESSION['pass_sent'] = "Password Recovery Successful. You will shorty receive an email confirming your password.";
                    
    //header("Location: index.php");
                 
    }
                 else{
                    
    $_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
                                                   Sorry for any inconvenience."
    ;
                    
    //header("Location: password_recovery.php");                                         
                 
    }
             }
             else{
                
    $_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
                                             Sorry for any inconvenience."
    ;
                
    //header("Location: password_recovery.php");        
             
    }
          }
          else{
    //IF NO EMAILS WERE MATCHED IN THE TABLE
             
    $_SESSION['invalidemail'] = "Invalid Email Address";//CREATE SESSION TO USE IN pass_rec.php
             //header("Location: password_recovery.php");//LOCATE USER TO pass_rec.php
          
    }
       }
    }
    ?>
    This is reset_pass.php, (which is also used as the action file for the form):
    PHP Code:
    <?php session_start(); ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
         <title>Deus Ex Demo Reset Password</title>
         <link rel="stylesheet" type="text/css" href="styles/main.css" />
    </head>
    <body>
    <div id="container">
        <a href="membersarea.php">
           <img src="images/mainbanner_v3.png" alt="DXDU Logo" id="logo" title="Deus Ex Demo Uploader Logo" border="0" />
        </a>

        <div id="passResetDiv">
             <p class="lucida" id="new_pass_p">Please enter your new password into the field below.</p>
             
             <form id="reset_pass_form" method="POST" action="reset_pass.php">
                 <p><label for="newpass" id="passLabel">Enter Password:</label><input type="text" name="newpass" id="newpass" size="30" maxlength="10" /></p>
                 <p><label for="submit"></label><input type="button" name="submit" value="Proceed" /></p>
             </form>
             <?php
             
             
    function check_input($data) {
                 
    $con mysql_connect("localhost""root""");
                     if(!
    $con){
                     
    $_SESSION['connection_error'] = "Connection error directly in action script.";
                     
    header("Location: index.php");
                     }
                     
                 
    $illegalChars = array('!','@','#','$','%','^','&','*','(',')','+','=','-','[',']','.',';',',','/','{','}','|','"',':','<','>','?','~','£'); 
                 
    $data str_replace($illegalChars,'',$data);
                 
    $data trim($data);
                 
    $data stripslashes($data);
                 
    $data htmlspecialchars($dataENT_QUOTES);
                 
    $data mysql_real_escape_string($data,$con);
                 return 
    $data;
             }
            
             
    $pass check_input($_POST['newpass']);
             
             if(isset(
    $pass)){
                
    $id $_GET['id'];
                
    $user $_GET['user'];
                
                require(
    "connectdb.php");
                
    $sql mysql_query("SELECT password FROM members WHERE id='{$id}'");
                if(!
    $sql){
                    
    $_SESSION['select_query'] = "Query Failed.";
                    
    header("Location: reset_pass.php");
                }
                else{
                    
    $qry mysql_query("INSERT $pass INTO members");
                }
                
             
             }
             else{
                 
    $_SESSION['enter_value'] = "Please enter an email address into the field before proceeding.";
                 
    header("Location: reset_pass.php");
             }
             
             
    ?>
        </div>

        
        
        
        
        <!--FOOTER CONTENT-->
        <div id="footerDiv">
            <img src="images/hkbanner.jpg" alt="HunterKillerz Clan Logo" title="HunterKillerz Clan Logo" id="hk" border="0" />
            <div id="hkDiv">
                <a href="http://z3.invisionfree.com/HunterKillerz/index.php?act=idx" id="clanLink" target="_blank">[HK]Hunter Killers Forum</a><br />
                <p id="visit">Please visit [HK]'s Official Clan Forums.</p>
                <p id="designer">Site designed by <span id="labtec">[HK]Labtec</span></p>
            </div>
            <p class="footP">Please visit the links to the right as they are all Deus Ex related with some good resources to help get you setup.
                             Feel free to email me and suggest any links to be added to the footer.</p>
            <a href="http://www.dxalpha.com/" target="_blank">
                <img src="images/alphalogo.gif" alt="Alpha Logo" title="Alpha Logo" class="alpha" border="0" />
            </a>
            <a href="http://kentie.net/" target="_blank">
                <img src="images/kentie.jpg" alt="Kentie Logo" title="Kentie Logo" class="kentie" border=" 0" />
            </a>
            <a href="http://thc.b1.jcink.com/index.php" target="_blank">
                <img src="images/thclogo.jpg" alt="THC Clan Logo" title="THC Clan Logo" class="thc" border="0" />
            </a>
        </div>
    </div>
    </body>
    </html>
    My issue is located in the first else statement after the first query, i'm not sure how to replace that existing password. Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first?

    Any help is greatly appreciated.

    Regards,

    LC.
    Last edited by LearningCoder; 07-16-2012 at 11:15 AM. Reason: Added another paragraph.

  • #4
    Senior Coder
    Join Date
    Jan 2011
    Location
    Missouri
    Posts
    4,092
    Thanks
    23
    Thanked 594 Times in 593 Posts
    After you make sure you have the correct person and have in coded the new_pass, you do an UPDATE not an INSERT:
    $query = "UPDATE members SET pass = '$new_pass' where WHERE email='{$email}'";

    ----------------------------------

    Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first?
    No need to get pass if it was forgotten,. If the pass word is being changed you should get the old pass as an added check that you have the right person.
    Last edited by sunfighter; 07-16-2012 at 02:58 PM.

  • The Following 2 Users Say Thank You to sunfighter For This Useful Post:

    LearningCoder (07-16-2012), pagedrop (07-16-2012)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •