paddy_fields

There are lots of tutorials online to choose from... http://www.google.co.uk/search?q=ajax+jquery+tutorial

You could use AJAX to deal with the request as it allows you to remain on the same page. I'd recommend using jQuery to make the AJAX request too, it makes it a lot more straight forward to code.

use unlink() to delete a file. $filename = "myfile.txt"; unlink($filename);

Actually, you were missing a closing braket in your form. Try this: <form action="<?= $_SERVER['PHP_SELF']; ?>" method="post"> <div class="fieldGroup"> <label class="grey" for="password">Password: </label> <input class="field" type="password" name="password" id="password"/> <br> <label class="grey" for="confirmpwd"> Confirm Password: </label> <input class="field" type="password" name="confirmpwd" id="confirmpwd"/> <br> <input type="hidden" name="subStep" value="3" /> <input type="hidden" name="user_id" value="<?= $securityUser=='' ? $_POST['user_id'] : $securityUser; ?>" /> <input type="hidden" name="security_key" value="<?= $_GET['email']=='' ? $_POST['security_key'] : $_GET['email']; ?>"/> <div class="fieldGroup"> <input class="bt_login" type="button" value="Reset" onClick="return resetformhash(this.form,this.form.password,this.form.confirmpwd);" style="margin-left: 150px;"/> </div> <div class="clear"> </div> </form> </div>

As the regformhash was failing, it wasn't sending any information. EDIT: read my comment at the end of the previous page

Well that means that you are meeting the conditions of the if statement, and therefore your function is not being called... if (strcmp($_POST['password'],$_POST['confirmpwd']) != 0 || trim($_POST['password']) == '') { $error = true; $show = 'recoverForm'; } else { $error = false; $show = 'recoverSuccess'; updateUserPassword($_POST['p'], $_POST['user_id'], $_POST['security_key']); } Your 'recoverForm' is being shown. This means that when you post your form, either $_POST['password'] or $_POST['confirmpwd'] are NULL. So your form isn't working. I think that it may be your onclick that's the problem... it should be onClick="return resetformhash(this.form,this.form.password,this.form.confirmpwd)

Thanks, thats good to know. I'm going to design the plugins so that they can be implemented without any fuss. I've been reading up on the security side and the method below seems good enough to stop people accessing the plugins directly. //at the top of the plugin <?php if (!defined('PLUGIN')) exit; ?> //before the plugin include <?php define('PLUGIN', true); ?> Then an conditional statement such as my previous post should keep anyone from messing with the script. Of course I need to be careful with the form/script that updates the database with new plugin purchases. I'm thinking a moat and drawbridge should do it!

Sorry there was a syntax error in my code function updateUserPassword($password, $user_id, $security_key) { global $mysqli; if (checkEmailkey($security_key ,$user_id) === false) return false; if (empty($error_msg)) { // Create a random salt $salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); } // Debug echo "password = ".$password; echo "<br>"; echo "user id = ".$user_id; echo "<br>"; echo "security key = ".$security_key; echo "<br>"; echo "salt = ".$salt; echo "<br>"; exit; } Looking through your code, why have you changed 'pw0' and 'pw1' to 'password' and 'confirmpwd'? This may be having an effect on another script that's being included, and hence causing your script to fail.

You posted your entire code a few times on this thread so you can always just revert to that . But that is why you should backup frequently. As I said before, debug. function updateUserPassword($password, $user_id, $security_key) { global $mysqli; if (checkEmailkey($security_key ,$user_id) === false) return false; if (empty($error_msg)) { // Create a random salt $salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Debug echo "password = ".$password; echo "<br>"; echo "user id = ".$user_id; echo "<br>"; echo "security key = ".$security_key; echo "<br>"; echo "salt = ".$salt; echo "<br>"; exit; } When you submit the new password, what does this output?

Debug. On the part of your script where there is the SQL connection to your database , where the new password should be updated, echo out each of the values that should have been inserted. You need to see why the SQL update isn't working. Once you've found which variable is empty (which I'm guessing is the cause), work your way back and find out why.

Well if the old password still works then it isn't updating the database at all. So we're trying to solve the wrong problem. You need to debug your code to work out why the new password is not being inserted into the database.

It's just a notice, not an error. It's because you haven't defined $securityUser. But changing $_POST['pw0'] to $_POST['p'] wouldn't have caused that. Did you change anything else? Check if the password has been updated and if you can log in.

It's this part that is the problem.... // Create a random salt $salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); } //we are submitting a new password (only for encrypted) if ($_POST['user_id'] == '' || $_POST['security_key'] == '') header("location: ../index.php"); if (strcmp($_POST['pw0'],$_POST['pw1']) != 0 || trim($_POST['pw0']) == '') { $error = true; $show = 'recoverForm'; } else { $error = false; $show = 'recoverSuccess'; updateUserPassword($_POST['pw0'], $_POST['user_id'], $_POST['security_key']); } break; } You're creating a salt but by the looks of it, not using it. And as I mentioned before, the javascript appends a new hidden element before the form is submitted called 'p', so you don't want to be using $_POST['pw0'] here: updateUserPassword($_POST['pw0'], $_POST['user_id'], $_POST['security_key']); $_POST['p'] will be a hashed version of the password that the user enters. As mac_gyver says the processing of the password needs to be the same. Look at your registration page and copy the code that is used to process the password after the form has been submitted. Basically change: updateUserPassword($_POST['pw0'], $_POST['user_id'], $_POST['security_key']); to: updateUserPassword($_POST['p'], $_POST['user_id'], $_POST['security_key']); And it should work.

i don't understand what you mean, can you expand on that

So what actually happens with your code so far... when the user enters their security question correctly does it allow them to then create a new password? And if so, when they enter a new password are you positive that it is entering a new password and salt into the database? Is your problem that when you then try to login, that the credentials won't allow you to login?

You need to debug your code. Saying 'it doesn't work' isn't much use when trying to solve your issue. Post your password-reset script and let me have look at what it does

No, you don't need to write a new function. What happens is when you click 'submit' on your login/register form, the javascript 'onclick' function takes your field called 'password'... hashes it, and then inserts a new field into your html form with the name(or id i can' t remember) of 'p' which is then used when the form is submitted. It also clears the contents of 'password'. This is so hackers can't grab the unhashed password when the headers are sent. If your login/register process is working as expected then you don't need to change anything too drastically when you are making a reset password script. My solution was to make a new table called 'members_verify', with two rows... 'member_id ' and 'passcode'. When the user requests a change of password... check the email address is really a members.. and then generate a random passcode and insert this into the table along with the member_id Then send the user an email link with the passcode as part of the address - so something like www.mywebsite.com/password-reset.php?passcode=2dkfjslekj34lk4j3lkjlkj3 on 'password_reset.php' have a script that checks in members_verify whether that passcode exists, by using $_GET['passcode'] and looking in the database for a match, and if there is then allow them to update their password. If you have implemented the script to allow users to login/register, then the password reset method i have just described requires no adaptation to the formhash function to achieve what you are after.

Man... that is so wrong. Just break up with the poor girl.

Something to bare in mind from confusion I had when working with this script, the formhash sends the password as $_POST['p'] and not $_POST['password']. It does this so that the unhashed password is not sent via headers // ADD THE NEWLY CREATED ELEMENT TO THE FORM form.appendChild(p); p.name = "p"; p.type = "hidden"; p.value = hex_sha512(password.value);

I've tried Googling for advice on this but I keep seeing conflicting ideas... time to ask the experts! I'm creating a CMS system. This is nearly completed and has all of the core functionality that my main client base will require. However over time I would like to develop and offer additional plugins/bolt-on features, (that can be purchased additionally from the basic system) Could a 'plugin system' be as simple as just making a seperate folder called 'plugins', and having each script in there seperately as 'plugin1.php', 'plugin2.php' etc I could then store in the database details of whether the user owns the plugin, and fetch this to a variable... if($plugin2==true){ include('plugin/plugin2.php') } Is this really a good way of doing this? Any advice would be great.

This should be in the CSS forum, but neverless you need to use the width property on the 'td' of the HTML table. .adsmanager_inner_box td { width: 100px; }

Ok, thank you. Sorry I meant platform! He did sound quite fanboyish in the way he was telling me - it was just about him saying about the employability that striked me as odd.

You need to use the individual social newtorks plugins, and adapt them for your needs. For example, Facebook has a bunch here: https://developers.facebook.com/docs/plugins/follow-button/#!/docs/plugins

I was in pub last night and some guy was telling me about NodeJs, and that how his company have stopped employing PHP developers all together in favour of Node developers. The way he made it sound was essentially 'Why are you still using PHP?'. Is this a fair point of view to think that in the future NodeJs will be that big? I've tried to read up on it as much as I can, and I can see the features are attractive, but it doesn't immediately strike me as a language that could be used for large scale projects? He also said he'd beat me at pool. And didn't. So I question his authority.

hi again, Gristol I'm trying to get your way working At the moment I have the jobId being passed inside the function - onclick="AjaxShortlist(12)" How do I pass the jobId with your method? I can see you have 'var listId = $(this).attr('id'); But I don't understand what that is calling?