BetterPHP

The non-existent community
https://betterphp.co.uk/board/

Forgot password and Reset Password Help

https://betterphp.co.uk/board/viewtopic.php?t=1626

Page 1 of 1

Forgot password and Reset Password Help

Posted: Sat Apr 28, 2012 5:07 pm
by Smg
ok i followed a tutorial on youtube to make these i edited them a bit to work with the user log in system that jacek made.
but the error i am having is that...
forgotpass.php = it changed the password but it wont allow me to login...
resetpass.php = it keeps saying wrong password when i put it in so is there anyway you can help me fix this?

Also i need this to work with jaceks login tutorials

here is the sources for those 2 pages.
forgotpass.php: 
<?php

include('core/init.inc.php');
$userid = $_SESSION['user_id'];
$username = $_SESSION['user_username'];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Forgot Password - Zerk-Xile</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="SHORTCUT ICON" href="ext/images/favicon.ico">
<link href="ext/css/stylesheet.css" rel="stylesheet" type="text/css">
</head>
<body>
<img src="ext/images/background.jpg" class="background" />
	<!-- TemplateBeginEditable name="header" -->
	<center>
    <div class="header" id="header">
		<p><font size="10">Zerk-Xile</font></p>
	</div></center><!-- TemplateEndEditable -->
    <!-- TemplateBeginEditable name="content" -->
	<center>
    <div align="center" class="content" id="content">
		<?php
		
		if (!$username && !$userid){
			if ($_POST['resetbtn']){
				// get data from form
				$user = $_POST['user'];
				$email = $_POST['email'];
				
				if ($user){
					if ($email){
						if ( (strlen($email) > 7) && (strstr($email, "@")) && (strstr($email, ".")) ){
							
							$query = mysql_query("SELECT * FROM users WHERE user_username='$user'");
							$numrows = mysql_num_rows($query);
							if ($numrows == 1){
								// get info for account from database
								$row = mysql_fetch_assoc($query);
								$dbemail = $row['user_email'];
								
								// make sure email is correct
								if ($email == $dbemail){
									// generate random password
									$pass = rand();
									$pass = md5($pass);
									$pass = substr($pass, 0, 15);
									$password = md5(md5("kjfiufj".$pass."Fj56fj"));
									
									// update db with new pass
									mysql_query("UPDATE users SET user_password='$password' WHERE user_username='$user'");
									
									// make sure that the password was changed
									$query = mysql_query("SELECT * FROM users WHERE user_username='$user' AND user_password='$password'");
									$numrows = mysql_num_rows($query);
									if ($numrows == 1){
										
										// create email vars
										$webmaster = "admin@zerk-xile.info";
										$headers = "From: Smg<$webmaster>";
										$subject = "Your New Password";
										$message = "Hello, Your password has been reset. Your new password is below.\n";
										$message .= "Password: $pass\n";
										
										echo $pass."<br />";
										if ( mail($email, $subject, $message, $headers) ){
											
											echo "Your password has been reset and a email has been sent with your new password.";
										} else 
											echo "An error has occured and your email was not sent containing your new password.";
										
									} else
										echo "An error has occured and the password was not reset.";
									
								} else
									echo "The email entered was the wrong email address.";
							} else
								echo "The username was not found.";
							
							mysql_close();
						} else
							echo "Please enter a valid Email Address.";
					} else
						echo "Please enter your Email.";
				} else
					echo "Please enter your Username.";
			}
			echo "<form action='./forgotpass.php' method='post'>
			<table>
				<tr>
					<td>Username:</td>
					<td><input type='text' name='user' /></td>
				</tr>
				<tr>
					<td>Email:</td>
					<td><input type='text' name='email' /></td>
				</tr>
				<tr>
					<td></td>
					<td><input type='submit' name='resetbtn' value='Reset Password' /></td>
				</tr>
			</table>
			</form>";
		} else
			echo "Please logout to view this page.";
			
		?>
	</div></center><!-- TemplateEndEditable -->
</body>
</html>
resetpass.php: 
<?php

include('core/init.inc.php');
$userid = $_SESSION['user_id'];
$username = $_SESSION['user_username'];

?>
<html>
	<head>
		<title></title>
	</head>
	<body>
		<?php
		
			if ($_POST['resetpass']){
				// get form data
				$pass = $_POST['pass'];
				$newpass = $_POST['newpass'];
				$confirmpass = $_POST['confirmpass'];
				
				// make sure all data was entered
				if ($pass){
					if ($newpass){
						if ($confirmpass){
							if ($newpass === $confirmpass){
								$password = md5(md5("kjfiufj".$pass."Fj56fj"));
								
								// make sure pass is correct.
								$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
								$numrows = mysql_num_rows($query);
								if ($numrows == 1){
									//new password
									$newpassword = md5(md5("kjfiufj".$newpass."Fj56fj"));
									
									// update the db with new pass
									mysql_query("UPDATE users SET password='$newpassword' WHERE username='$username'");
									
									// make sure new password was changed
									$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$newpassword'");
									$numrows = mysql_num_rows($query);
									if ($numrows == 1){
										echo "Your password has been reset.";
									} else
										echo "a error occured and your password was not reset";
									
								} else
									echo "Your current password is incorrect.";
								
								mysql_close();
							} else 
								echo "Your new passwords did not match.";
						} else
							echo "You must confirm your new password.";
					} else
						echo "You must enter your new password.";
				} else
					echo "You must enter your current password.";
			}
			
			echo "<form action='./resetpass.php' method='post'>
				<table>
					<tr>
						<td>Current Password:</td>
						<td><input type='password' name='pass'></td>
					</tr>
					<tr>
						<td>New Password:</td>
						<td><input type='password' name='newpass'></td>
					</tr>
					<tr>
						<td>Confirm Password:</td>
						<td><input type='password' name='confirmpass'></td>
					</tr>
					<tr>
						<td></td>
						<td><input type='submit' name='resetpass' value='Reset Password'></td>
					</tr>
				</table>
			</form>";
		
		?>
	</body>
</html>

Re: Forgot password and Reset Password Help

Posted: Sat Apr 28, 2012 10:16 pm
by jacek
You should use functions, you should not echo huge chunks of HTML and you lookup what sql injection is, you should avoid insane nesting of if statements, you should keep the logic and output parts of your separate.

There are also far too many queries here. Maybe look for a better tutorial, or try having a go yourself.

The reason it is not working is most likely that you are not finding the user in the table, which error message do you get ? If none try adding the 
echo mysql_error();
after the query.

Re: Forgot password and Reset Password Help

Posted: Sun Apr 29, 2012 7:20 am
by janvier123
ALWAYS use 
mysql_real_escape_string
to clean your user's input, or you will be hacked!

http://php.net/manual/en/function.mysql ... string.php

Re: Forgot password and Reset Password Help

Posted: Sun Apr 29, 2012 7:58 pm
by Smg
ok i followed another tutorial i think is better and its not sending the email so what did i do wrong in the code to not make it send the email?

forgotpass.php: 
<?php
include('core/init.inc.php');

function error($msg) {
    ?>
    <html>
    <head>
    <script language="JavaScript">
    <!--
        alert("<?=$msg?>");
        history.back();
    //-->
    </script>
    </head>
    <body>
    </body>
    </html>
    <?
    exit;
}

function check_email_address($email) {
  if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
    return false;
  }

  $email_array = explode("@", $email);
  $local_array = explode(".", $email_array[0]);
  for ($i = 0; $i < sizeof($local_array); $i++) {
     if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
      return false;
    }
  }  
  if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) {
    $domain_array = explode(".", $email_array[1]);
    if (sizeof($domain_array) < 2) {
        return false;
    }
    for ($i = 0; $i < sizeof($domain_array); $i++) {
      if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
        return false;
      }
    }
  }
  return true;
}


if (isset($_POST['submit'])) {
	
	if ($_POST['forgotpassword']=='') {
		error('Please Fill in Email.');
	}
	if(get_magic_quotes_gpc()) {
		$forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword']));
	} 
	else {
		$forgotpassword = htmlspecialchars($_POST['forgotpassword']);
	}

	if (!check_email_address($_POST['forgotpassword'])) {
  		error('Email Not Valid - Must be in format of name@domain.tld');
	}
	
    $sql = "SELECT COUNT(*) FROM users WHERE user_email = '$forgotpassword'";
    $result = mysql_query($sql)or die('Could not find member: ' . mysql_error());
    if (!mysql_result($result,0,0)>0) {
        error('Email Not Found!');
    }

	$random_password=sha1(uniqid(rand()));
	
	$emailpassword=substr($random_password, 0, 8);
	
	$newpassword = sha1($emailpassword);
	
       	$query = sprintf("UPDATE `users` SET `user_password` = '%s' WHERE `user_email` = '$forgotpassword'",
                    mysql_real_escape_string($newpassword));
					
					mysql_query($query)or die('Could not update members: ' . mysql_error());

$subject = "Your New Password"; 
$message = "Your new password is as follows:
---------------------------- 
Password: $emailpassword
---------------------------- 
Please make note this information has been encrypted into our database 

This email was automatically generated."; 
                       
          if(!mail($forgotpassword, $subject, $message,  'FROM: Zerk-Xile <admin@zerk-xile.info>')){ 
				die ("Sending Email Failed, Please Contact Site Admin!"); 
          }else{ 
				mail($forgotpassword, $subject, $message,  'FROM: Zerk-Xile <admin@zerk-xile.info>');
                error('New Password Sent!.');
         } 
		
	}
	
else {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Forgot Password - Zerk-Xile</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="SHORTCUT ICON" href="ext/images/favicon.ico">
<link href="ext/css/stylesheet.css" rel="stylesheet" type="text/css">
</head>
<body>
<img src="ext/images/background.jpg" class="background" />
	<!-- TemplateBeginEditable name="header" -->
	<center>
    <div class="header" id="header">
		<p><font size="10">Zerk-Xile</font></p>
	</div></center><!-- TemplateEndEditable -->
    <!-- TemplateBeginEditable name="content" -->
	<center>
    <div align="center" class="content" id="content">
			<form name="forgotpasswordform" action="" method="post">
        <table border="1">
          <tr>
		  <td colspan="2"><label>Forgot Password</label></td>
          </tr>
		  <tr>
            <td>Email Address:</td>
            <td><input name="forgotpassword" type="text" value="" id="forgotpassword" /></td>
          </tr>
          <tr>
            <td colspan="2" class="footer"><input type="submit" name="submit" value="Submit" class="mainoption" /></td>
          </tr>
        </table>
      </form>
</div></center><!-- TemplateEndEditable -->
</body>
</html>
<? } ?>
EDIT I FIXED IT.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited