SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Forgot password

  1. #1
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Forgot password

    I did a very simple thing years ago and now I need it again, but it's not working.
    I just want the users to have their password e-mailed to them if they forgot it when logging in.

    I have one page called forgot.php with a form sending email to this page called forgotten.php

    PHP Code:
    <?php
    $email 
    $_POST['email'];
    $con mysql_connect("localhost","username","password");
    if (!
    $con)
      {
      die(
    'Could not connect: ' mysql_error());
      }
    mysql_select_db("database"$con);

    $result mysql_query("SELECT user_pass, user_email FROM user_db WHERE user_email='$email'");

    $r mysql_query($result);
    if(!
    $r) {
    $err=mysql_error();
    print 
    $err;
    exit();
    }
    if(
    mysql_affected_rows()==0){
    print 
    "<p>There is no user with this e-mail address in our system.</p><p>Please try again. <a href='forgot.php'>TRY AGAIN</a></p><p>Or set up an account. <a href='sign.php'>NEW ACCOUNT</a></p>";
    exit();
    } else {
    $row=mysql_fetch_array($r);
    $password=$row["user_pass"];
    $email=$row["user_email"];

    $recipient $email;
    $subject 'Your password';
    $message 'Here is the password you requested from our website: '.$password;
    $headers 'From: info@website.com' "\r\n" .'Reply-To: info@website.com' "\r\n" .'X-Mailer: PHP/' phpversion();

    print 
    "An email containing the password has been sent to you.";
    }
    ?>

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    71 Post(s)
    Tagged
    0 Thread(s)
    Well. There's a lot to discuss in that piece of code.
    #1: mysql is being deprecated. Suggest you move to mysqli or PDO
    #2: your input is not sanitized, leaving that code open to attack.
    #3: It's generally discouraged to let people guess emails to see if they're in your system. Better behavior would be to always say "If your email is in our system, an email has been sent to that address with instructions on how to reset your password", regardless of whether you sent anything or not. That way people cant figure out users emails that are in your database.
    #4: You should be hashing the passwords one-way and instead of sending them the password, either outright generating a new password for them, or do a staged-replace system where you send them a action-specific url to reset the password. Never store passwords in plaintext.

    All that said; what exactly is the problem? (my first guess is mysql_affected_rows on a SELECT query, but lets have a bit more detail of the issue)
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  3. #3
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    sweden
    Posts
    646
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Great input. I will definitely look at those things. Any suggestions on how to make this?
    I tried to Google for things on this, but couldn't find any good ones.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •