I am writing a login form with php and mysql. Everything is done except the forgot password. The users puts his email and then gets a confirmation link on his email, but when he click on the confirmation an error ocurrs. Pleaseee help its urgent.
this is the mail function
function forgot_pass($confirm_code, $email){
$mail = new PHPMailer(true);
$mail->isSMTP(); // Set mailer to use SMTP
$mail->Host = 'smtp.gmail.com'; // Specify main and backup SMTP servers
$mail->SMTPAuth = true; // Enable SMTP authentication
$mail->Username = 'moviefoxbynk@gmail.com'; // SMTP username
$mail->Password = 'password'; // SMTP password
$mail->SMTPSecure = 'tls'; // Enable TLS encryption, `ssl` also accepted
$mail->Port = 587; // TCP port to connect to
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
$mail->addAddress($email);
$mail->setFrom("MovieFox@abv.bg");
$mail->Subject = "Welcome ot MovieFox";
$mail->Body = "Your Comfirmation link is http://localhost/moviefox/reset.php?email='.$email.'&confirm='.$confirm_code;)";
$mail->isHTML(false);
return $mail->send();
}
This is the reset.php, which has to be executed after the users clikes his confirmation link
<?php
/* The password reset form, the link to this page is included
from the forgot.php email message
*/
require 'db.php';
session_start();
// Make sure email and hash variables aren't empty
if( isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['confirm']) && !empty($_GET['confirm']))
{
$email = $mysqli->escape_string($_GET['email']);
$confirm_code = $mysqli->escape_string($_GET['confirm']);
// Make sure user email with matching hash exist
$result = $mysqli->query("SELECT * FROM `users` WHERE `email`='$email' AND `confirm`='$confirm_code'");
echo $email;
if ( $result->num_rows == 0 )
{
$_SESSION['message'] = "You have entered invalid URL for password reset!";
header("location: error.php");
}
}
else {
$_SESSION['message'] = "Sorry, verification failed, try again!";
header("location: error.php");
}
?>
<?php
</head>
<body>
<div class="form">
<div class="tab-content">
<div id="login">
<br>
<br>
<br>
<h1>Change your password</h1>
<form action="confirmpass.php" method="post" autocomplete="off">
<input type="password" required autocomplete="off" name="newpassword" placeholder="New Password"/>
<input type="password" required autocomplete="off" name="confirmpass" placeholder="Confirm new password"/>
<!---<p class="forgot"><a href="forgot.php">Forgot Password?</a></p>-->
<!-- This input field is needed, to get the email of the user -->
<input type="hidden" name="email" value="<?= $email?>">
<input type="hidden" name="confirm" value="<?= $confirm_code ?>">
<button class="btn btn-block btn-primary" name="submit" />Submit</button>
</form>
</div>
</div>
</div><!-- tab-content -->
</div> <!-- /form -->
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="js/index.js"></script>
</body>
</html>
And this is the confirmpass.php which has to be executes after the reset.
<?php
/* Password reset process, updates database with new user password */
require ("db.php");
session_start();
// Make sure the form is being submitted with method="post"
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Make sure the two passwords match
if ( $_POST['newpassword'] == $_POST['confirmpass'] ) {
$new_password = password_hash($_POST['newpassword'], PASSWORD_BCRYPT);
$confirm_code = $mysqli->escape_string($_POST['confirm']);
$email = $mysqli->escape_string($_POST['email']);
$result = "UPDATE `users` SET `password`='$new_password', `confirm`='$confirm_code' WHERE `email`='$email'";
if ( $mysqli->query($result) ) {
header("location: login.html");
}
}
else {
$_SESSION['message'] = " The two passwords you entered don't match, try again!";
header("location: error.php");
}
}
?>