Page 1 of 1

Probem with user system reset password

Posted: Thu Nov 12, 2015 4:49 am
by tiaz1988
I've a problem with my user system reset password.
When I enter my email for reset password I get the mail with the random password string.
And it change to the random password in the database too, but when I should login with the random password.
I can't log back in why? I've check if I have some error in the code, it looks fine.
I've watdh the tutorial at the same time to see if I have missed anything, everyting looks fine.
Please, help me!

Here is my code for that functions form user.inc.php file:
[syntax=php]
function email_exists($email)
{
$email = mysql_real_escape_string($email);

$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `user_email` = '{$email}'");

return (mysql_result($total, 0) == '1') ? true : false;
}

function new_password($email)
{
$email = mysql_real_escape_string($email);

$charset = array_flip(array_merge(range('a', 'z'), range('A', 'Z'), range(0, 9)));

$new_password = implode('', array_rand($charset, 15));

$sql = "UPDATE `users` SET `user_password` = '{$new_password}' WHERE `user_email` = '{$email}'";

mysql_query($sql);

$body = <<<EMAIL

Hi dear member!

This is an automated email, please DO NOT replay to this.

You have sent a requset for new password at dcoyofficial.com.

Please, click the following link below to reset your password:

{$new_password}

EMAIL;

mail($email, 'Reset password', $body, 'From: admin@dcoyofficial.com');
}[/syntax]

And here is the code from requestpassword page:
[syntax=php]
if(isset($_POST['email']))
{
$errors = array();

if(empty($_POST['email']))
{
$errors[] = "<p class='errors'>The email field is requried.</p>";
}

if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false)
{
$errors[] = "<p class='errors'>The email address you entered doesn't appear to be valid.</p>";
}
else
{
if(email_exists($_POST['email']) === false)
{
$errors[] = "<p class='errors'>There is no user with that email address.</p>";
}
}

if(empty($errors))
{
new_password($_POST['email']);

echo "Your new password has been sent to {$_POST['email']}";
}
}[/syntax]

Here is the code for the link to requestpassword page from login.php
[syntax=xhtml]
<a href="requestpassword.php"><span class="loginForgotPassword">FORGOT YOUR PASSWORD?</span></a>
[/syntax]

OBS!

the problem may be due to "setcookie" feature?

Take care!

Re: Probem with user system reset password

Posted: Thu Nov 12, 2015 11:39 am
by Temor
The first thing that comes to mind is password hashing. I don't believe the rest of your login system stores the passwords in plain text in the database, but the reset password function will do that.

If you try to log in using a function that compares a given password to a password hash in the database, but you're storing the plain text, they won't match.

You would have to hash the new password before you add it to the database, in the same way you would when the user first registers.

Example:
[syntax=php]
$new_password = sha1($new_password);
$sql = "UPDATE `users` SET `user_password` = '{$new_password}' WHERE `user_email` = '{$email}'";[/syntax]

Re: Probem with user system reset password

Posted: Tue Nov 17, 2015 6:14 pm
by killfrog47
Temor wrote:The first thing that comes to mind is password hashing. I don't believe the rest of your login system stores the passwords in plain text in the database, but the reset password function will do that.

If you try to log in using a function that compares a given password to a password hash in the database, but you're storing the plain text, they won't match.

You would have to hash the new password before you add it to the database, in the same way you would when the user first registers.

Example:
[syntax=php]
$new_password = sha1($new_password);
$sql = "UPDATE `users` SET `user_password` = '{$new_password}' WHERE `user_email` = '{$email}'";[/syntax]
I just replied to the other post you made lol looks like Temor is on top of things here =P Ignore my other post!