petroz

PHP will prob be the most reliable method as not everyone has javascript enabled... You could do something like this.. Havent tested this as I refuse to run anything on a PC... Sorry! <?php $useragent = $_SERVER['HTTP_USER_AGENT']; $ie6 = "MSIE 6."; $is_ie6 = strpos($useragent,$ie6); if($is_ie6 == 'true'){ echo "Ooops, your feel into a time machine and are running IE6!"; }

I had todo this recently. Try something like this.. <?php $categories = mysql_fetch_array(mysql_query("SELECT DISTINCT `category` FROM (`blog_posts`)")); foreach ($categories as $category){ echo '<li><a href="http://example.com/blog/category/'.$category['category'].'">'.$category['category'].'</a></li>'; }

No.. I would recommend locking each question and answer to each user.. just make an additional field for question and answer for your user table...

Show them the question. Most people that can't remember their password might have trouble remembering their question...

I would recommend letting them choose a question and or setting their own.. As for the temp thing, your code snip would be fine.

This would take a few steps.. First, add three fields to your DB.. Question, Answer and temp. To support the security question add the question and answer input to your password reset script.. Next, for the temporary password, add some value to the temp field on `user` when the password is reset.. maybe "true". Tell the login script to check if the `temp` field is true or not.. if it is, send the user to a page where they have to reset their password. Understand?

redirect them to a page where they have to change their password..

Great! Captcha would not be a security question.. A security question would be similar to "Your Pets First Name." Basically, its a question that only the user would know the answer to. You wouldnt need to create a function for the new password. You could just do something like this. then update the database with it and email it to the user. <?php $time = time(); $random_number = rand(2,10); $temp_password = substr(md5($time * $random_number), 0, -25); echo $temp_password;

I setup a little test.. its working for me. Is it working for you? You could add some security questions for starters. Then if you wanted to add more, you could also create a temporary password that is sent to the email, and force the user to type that one in and change it on their next login...

It really depends on the server type. I know IIS makes it pretty easy to print, but with linux/apache, its almost impossible unless you write a socket. Check out http://php.net/manual/en/function.printer-write.php If anybody know's a built-in way to send the file to a linux/apache printer, please correct me! Also, googles working on something similar.. http://code.google.com/apis/cloudprint/docs/overview.html

Can you repost the final code you are using, I setup a test and I cant get the script to allow anything if the passwords dont match.

I think you should read a little about php sessions, before you protect pages with a string. http://www.php.net/manual/en/book.session.php

Awesome! Learning something everyday!

So this script is essentially open to anyone who can guess a username and password match. I wouldn't, recommend doing it this way, but here is a way to semi-secure the script and update the password. Again, I havent tested this, so it might have a error or two.. <?php $n=$_POST['uname']; $e=$_POST['email']; $p1 = $_POST['pass1']; $p2 = $_POST['pass2']; $referrer = $_SERVER['REFERRER']; //if form submitted if($_SERVER['REQUEST_METHOD'] == "POST"){ //check to see if passwords match if($p1 == $p2){ //db config stuff include('config.php'); //check to see if username and email exists $user_exists = mysql_num_rows(mysql_query("SELECT * FROM `user` WHERE `uname` = '$n' AND `email` = '$e'")); if($user_exists == 1){ //if there is one username and email pair //update the password $update_pass = mysql_query("UPDATE `user` SET `password` = '$p2' WHERE `uname` = '$n' AND `email` = '$e'"); echo "Successfully Updated"; } else { //cannot find 1 username and email pair echo 'Username and Email Pair does not exist. Go back and try again <a href="'.$referrer.'">here</a>'; } } else { //passwords do not match echo "Passwords Do Not Match"; echo 'Username and Email Pair does not exist. Go back and try again <a href="'.$referrer.'">here</a>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form>

you can set your variables to null if they are if(!isset($name)) { $name = 'NULL'; }

First... what is the sole purpose of this script.. Second, are you using sessions at all?

I defnintly do not recommend giving your users the ability to update the database this way.. If they can guess a uname and email pair, then can change other peoples passwords... But here is an update just updating the password field. <?php $n=$_POST['uname']; $e=$_POST['email']; if($_POST['submitted'] == 'yes' ) { if( $_POST['pass_1'] != $_POST['pass_2'] ) { // fields don't match, so do something to indicate the error . . . echo '<p>Passwords Do Not Match</p>'; } $pass = $_POST['pass_2']; // connect to the db include('config.php'); $query="select * from user where uname='$n' and email='$e' or die(mysql_error());"; $result=mysql_query($query); $row = mysql_fetch_array($result); if($result = 1) { //insert values into certain places $update_query = mysql_query("UPDATE `user` SET `pass` = '$pass' WHERE `uname` = '$n' AND `email` = '$e'"); } else { echo '<p>ERRRRRRROR!</p>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form>

Sorry.. didnt realize that was the entire script..

can you post your entire script?

Here is a little example. I havent actually ran this, but this is a dry version of what I am talking about... <?php //vars $id = $_GET['id']; //set the user id from the url if($_SERVER['REQUEST_METHOD'] == "POST"){ //if the update form has been submitted //get the form data $first = $_POST['first']; $last = $_POST['last']; //update the database $update = mysql_query("UPDATE `users` SET `first` = '$first', `last` = '$last' WHERE `id` = '$id'"); //load the form data $user = mysql_fetch_array(mysql_query("SELECT `first`, `last` FROM `users` WHERE `id` = '$id'")); //load the form with and update message echo "Successfully Updated"; ?> <form action="update.php?id=<?php echo $id;?>" method="post"> <input type="text" name="first" value="<?php $user['first'];?>"> <input type="text" name="last" value="<?php $user['last'];?>" </form> <?php } else { //the update form has not been submitted //load the form data $user = mysql_fetch_array(mysql_query("SELECT `first`, `last` FROM `users` WHERE `id` = '$id'")); //load the form ?> <form action="update.php?id=<?php echo $id;?>" method="post"> <input type="text" name="first" value="<?php $user['first'];?>"> <input type="text" name="last" value="<?php $user['last'];?>" </form> <?php }

I think a different approach my be a little bit easier. Typically, When I have user info that can be updated, I present the user with a form to edit the fields. The trick is to preload the form with the correct data from the database, so that when the user submit's the update, any field they want to edit is updated with one update query and the data from the form. Let me know if that makes sense or not.

What kind of response are you getting now?

Like we have all already asked.. please run your query in mysql // phpmyadmin.. or however you choose to run the query... We need to see if the result is returning any rows or not. Post your results... please $sql = "SELECT user_id FROM tbl_user WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";

Try running your query through some kind of mysql interface to make sure your actually getting one user... $sql = "SELECT user_id FROM tbl_user WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";

Are you using enctype="multipart/form-data" on your form tag? post your form.. and have you tried adding [] to the array of filetypes?