adamjones Posted February 21, 2009 Share Posted February 21, 2009 Hi. I made a password reset form for users on my website, however, it's not working, and I don't really understand why not. The coding looks to have no errors, etc; This page is where the user types in their username; <form name="form1" method="post" action="passwordrequest.php" id="formular" class="formular"> <fieldset> <legend>Forgotten Login</legend> <label></label> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="7%" align="left" valign="top"><img src="css/images/frank_14.gif" alt="" width="61" height="85" /></td> <td width="4%"> </td> <td width="89%"> <label><span>Don't worry! Just fill in your Username below;<br /> <br /> Username: </span> <input type="text" name="username" class="validate['required','length[6,16]','alphanum'] text-input" id="username" /> </label> <label></label> <p> <input type="submit" class="submit" value="Next Step" /> </p></td> </tr> </table> </fieldset> <hr /> </form> Their usename is then passed to this file, where it checks their username, then registers their secret question and answer; <?php ini_set('error_reporting', E_ALL); session_start(); require_once('config.php'); $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $username = clean($_POST['username']); $qry="SELECT * FROM members WHERE username='$username'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['secretq'] = $member['secretq']; $_SESSION['secreta'] = $member['secreta']; session_write_close(); } } ?> <?php header("location: password_question.php"); exit(); ?> They are then taken to this page, where they are asked their secret question; <form name="form1" method="post" action="reset_check.php" id="formular" class="formular"> <fieldset> <legend>Forgotten Login</legend> <label></label> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="7%" align="left" valign="top"><img src="css/images/frank_03.gif" alt="" width="60" height="85" /></td> <td width="4%"> </td> <td width="89%"><label><span>Secret Question : </span> <input name="secretq" type="text" class="validate['required','length[6,16]','alphanum'] text-input" value="<?php echo $_SESSION['secretq'];?>" readonly/> </label> <label> <span>Answer : </span> <input type="text" name="secreta" class="validate['required','length[3,-1]','nodigit'] text-input" /> <input name="username" type="hidden" class="validate['required'] text-input" value="<?php echo $_SESSION['user']; ?>" /> </label> <p> <input type="submit" class="submit" value="Reset My Password" /> </p></td> </tr> </table> </fieldset> <hr /> </form> Once they have filled in the answer, it's sent to this; <?php session_start(); require_once('config.php'); $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } $secretq = clean($_POST['secretq']); $secreta = clean($_POST['secreta']); $username = clean($_POST['username']); $qry="SELECT * FROM members WHERE username='$username' AND secreta='$secreta'"; $result=mysql_query($qry); if($result) { if(mysql_num_rows($result) == 1) { session_regenerate_id(); $resetyes = mysql_fetch_assoc($result); $_SESSION['resetcode'] = $resetyes['resetcode']; session_write_close; header("location: reset_password.php"); exit(); }else { header("location: invalid_answer.php"); exit(); } }else { die("Query failed"); } ?> However, I'm always being redirected to 'invalid_answer.php'. I can't see any mistakes in the code? Could anyone have a look at it please Cheers. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted February 21, 2009 Share Posted February 21, 2009 As far as i can see $_SESSION['user'] isn't set. You're using this as the value for a hidden field, so that'll be blank. Incidentally, why are you putting session variables in hidden fields? That's just asking for the user to manipulate them. If they're in sessions, you can access them on the next page anyway. Quote Link to comment Share on other sites More sharing options...
adamjones Posted February 21, 2009 Author Share Posted February 21, 2009 As far as i can see $_SESSION['user'] isn't set. You're using this as the value for a hidden field, so that'll be blank. Incidentally, why are you putting session variables in hidden fields? That's just asking for the user to manipulate them. If they're in sessions, you can access them on the next page anyway. Hmm. Right. Thanks for your help. Do you know of any tutorials related to pasword reset forms? Cheers. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.