The password is hashed before being inserted to the database.
I have got the registration form done fine. It works as intended. When the user loses/forgets their password, I have a forgotten pass page where they enter their email address. I send them an email with a link inside which I pass the username and id through the url and use the $_GET global to retrieve them on that page. From there, I select the existing password from the database depending on the id being matched but I don't know how to replace the password with the new password.
This is the code from recoverpass.php (which is the action file of the form to enter your email to change pass):
/*FUNCTION TO GENERATE A NEW PASSWORD FOR THE USER. RETURNS A NEW PASSWORD TO THE CALLING CODE*/
function get_new_pass(){
$chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$size = strlen($chars);
$length = 8;
if(!isset($email)){
$_SESSION['no_email'] = "Please fill in the form.";
header("Location: password_recovery.php");
}
else{
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){//IF IT IS NOT A VALID EMAIL...
$_SESSION["email"] = "Email is not valid";//CREATE SESSION TO USE IN index.php AS ERROR MESSAGE.
header("Location: index.php");//LOCATE USER TO index.php
}
else{
require("connectdb.php");//CONNECT TO DATABASE AND SELECT DATABASE.
$sql = mysql_query("SELECT * FROM members WHERE email='{$email}'");//SELECT EVERYTHING FROM MEMBERS TABLE ONLY WHERE email TABLE FIELD MATCHES THE USER INPUT EMAIL.
$count = mysql_num_rows($sql);//COUNT HOW MANY ROWS WERE MATCHED.
if($id && $get_user){
$to = $email;//STORED EMAIL IN VARIABLE
$sub = "Deus Ex Demo Upload/Download - Password Recovery";//EMAIL SUBJECT FIELD.
$body = "<p class='lucida'>Hello, {$get_user}<br /><br />";//EMAIL BODY CONTENT.
$body .= "You have received this email because you have lost/forgotten your password.<br />";
$body .= "Please visit the link below to reset your password.";
$body .= "<a href='reset_pass.php?id=".urlencode($id)."&user=".urlencode($get_user)."'>Reset Your Password</a>";
$body .= "Kind Regards,<br />";
$body .= "<span class='blue'>Labtec</span></p><br />";
$headers = "From: labtec@dxdu.com\r\n" . "X-Mailer: php";
$headers .= "Reply-To: labtec@dxdu.com\r\n";
$headers .= "Return-Path: labtec@dxdu.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($to, $sub, $body, $headers)){
$_SESSION['pass_sent'] = "Password Recovery Successful. You will shorty receive an email confirming your password.";
//header("Location: index.php");
}
else{
$_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
Sorry for any inconvenience.";
//header("Location: password_recovery.php");
}
}
else{
$_SESSION['pass_not_reset'] = "There was an error sending your password via email. Please contact the site administrator.
Sorry for any inconvenience.";
//header("Location: password_recovery.php");
}
}
else{//IF NO EMAILS WERE MATCHED IN THE TABLE
$_SESSION['invalidemail'] = "Invalid Email Address";//CREATE SESSION TO USE IN pass_rec.php
//header("Location: password_recovery.php");//LOCATE USER TO pass_rec.php
}
}
}
?>
This is reset_pass.php, (which is also used as the action file for the form):
PHP Code:
<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
require("connectdb.php");
$sql = mysql_query("SELECT password FROM members WHERE id='{$id}'");
if(!$sql){
$_SESSION['select_query'] = "Query Failed.";
header("Location: reset_pass.php");
}
else{
$qry = mysql_query("INSERT $pass INTO members");
}
}
else{
$_SESSION['enter_value'] = "Please enter an email address into the field before proceeding.";
header("Location: reset_pass.php");
}
?>
</div>
<!--FOOTER CONTENT-->
<div id="footerDiv">
<img src="images/hkbanner.jpg" alt="HunterKillerz Clan Logo" title="HunterKillerz Clan Logo" id="hk" border="0" />
<div id="hkDiv">
<a href="http://z3.invisionfree.com/HunterKillerz/index.php?act=idx" id="clanLink" target="_blank">[HK]Hunter Killers Forum</a><br />
<p id="visit">Please visit [HK]'s Official Clan Forums.</p>
<p id="designer">Site designed by <span id="labtec">[HK]Labtec</span></p>
</div>
<p class="footP">Please visit the links to the right as they are all Deus Ex related with some good resources to help get you setup.
Feel free to email me and suggest any links to be added to the footer.</p>
<a href="http://www.dxalpha.com/" target="_blank">
<img src="images/alphalogo.gif" alt="Alpha Logo" title="Alpha Logo" class="alpha" border="0" />
</a>
<a href="http://kentie.net/" target="_blank">
<img src="images/kentie.jpg" alt="Kentie Logo" title="Kentie Logo" class="kentie" border=" 0" />
</a>
<a href="http://thc.b1.jcink.com/index.php" target="_blank">
<img src="images/thclogo.jpg" alt="THC Clan Logo" title="THC Clan Logo" class="thc" border="0" />
</a>
</div>
</div>
</body>
</html>
My issue is located in the first else statement after the first query, i'm not sure how to replace that existing password. Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first?
After you make sure you have the correct person and have in coded the new_pass, you do an UPDATE not an INSERT:
$query = "UPDATE members SET pass = '$new_pass' where WHERE email='{$email}'";
----------------------------------
Quote:
Also, do I need to do the first query, or can I just insert into the database without 'SELECTing' the pass first?
No need to get pass if it was forgotten,. If the pass word is being changed you should get the old pass as an added check that you have the right person.
Last edited by sunfighter; 07-16-2012 at 02:58 PM..
The Following 2 Users Say Thank You to sunfighter For This Useful Post:
Before you post, read our: 
