pavanpuligandla Posted March 30, 2009 Share Posted March 30, 2009 hii all.. i'm developing a secured system for resetting a forgotten password, i'm taking user's ID as input in my first form then validating it with the DB, if userID found then showing him the second form(i,e more details form) like firstname, lastname, secret question and answer, if these were also matched, then i need to send an URL to user's email which then clicked takes him to the password update page.. i'm stuck at generating URL and sending the same to email.. can anyone please help me out.. are there any php scripts satisfying the above functionality? many thansk.. Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/ Share on other sites More sharing options...
ratcateme Posted March 30, 2009 Share Posted March 30, 2009 the way i do it is a generate a MD5 hash with a random number then send a like to my users like resetpass.php?user=username@test=random_md5_hash and store the md5 hash in a database. also the hashes are salted so brute forcing with say md5(rand()) shouldn't easilly result in my hash. Scott. Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/#findComment-796644 Share on other sites More sharing options...
pavanpuligandla Posted March 30, 2009 Author Share Posted March 30, 2009 hii scott.. thanks for your help, i followed your guidelines, and developed a code for that, the problem is, i want to insert a random key in my database key column, after inserting the same i should invoke php mail to send the URL who has lost password.. now after running the below script on my server, i can see URL in plain text printed same as in the script. can you please help me, how to achieve those 2 operations(inserting a random key into DB, email valid URL to user).. <?php session_start(); //Connect to mysql server $link=mysql_connect("localhost","root",""); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db=mysql_select_db("blackerdread"); if(!$db) { die("Unable to select database"); } if(!get_magic_quotes_gpc()) { $row['customerID'] = stripslashes($_POST[$row['customerID']]); }else{ $row['customerID'] = $_POST[$row['customerID']]; } $key = substr(base64_encode(crypt('', '')), 0, 32); $query="INSERT INTO ss_customers (key) VALUES ('$key')"; $result=mysql_query($query); $query = "SELECT Login, Email FROM ss_customers WHERE customerID='37'"; $result=mysql_query($query); $row = mysql_fetch_array($result); if(mysql_num_rows($result)>0) { $Email = $row['Email']; $Login = $row['Login']; $headers4="[email protected]"; // Change this address within quotes to your address $headers.="Reply-to: $headers4\n"; $headers .= "From: $headers4\n"; $headers .= "Errors-to: $headers4\n"; // mail funciton will return true if it is successful if(mail("$Email","Your Request for login details", "This is in response to your request for login detailst at site_name \n \nLogin ID: $Login \n" ".URL . resetpassword.php?Login= . urlencode($Login) . &key= . urlencode($key) . \n" ,"$headers")) {echo "<center><font face='Verdana' size='2' ><b>THANK YOU</b> <br>Your password is posted to your emil address . Please check your mail after some time. </center>";} else{// there is a system problem in sending mail echo " <center><font face='Verdana' size='2' color=red >There is some system problem in sending login details to your address. Please contact site-admin. <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";} } else { echo "mail not sent"; } Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/#findComment-796748 Share on other sites More sharing options...
ratcateme Posted March 31, 2009 Share Posted March 31, 2009 looking at your code it dose both of those operations i thought? although your mail line should be re written to: if(mail("$Email","Your Request for login details", "This is in response to your request for login detailst at site_name \n \nLogin ID: $Login \n". $URL. "resetpassword.php?Login=" . urlencode($Login) . "&key=$key\n" ,"$headers")) also $URL is not defined Scott. Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/#findComment-797524 Share on other sites More sharing options...
pavanpuligandla Posted March 31, 2009 Author Share Posted March 31, 2009 hii scott.. thanks for tht.. now i need to GET those parameters which i'm sending to a particular user via URL. $URL. "resetpassword.php?Login=" . urlencode($Login) . "&key=$key\n" after clicking the above URL, user will be shown a password update form, after entering passwords correctly, form action for the resetpassword page is updatepassword, where in update password page, i need to check for Login in DB and matches it with URL's Login then if both are validated then the password will be updated else an error message "your userid not matched with the URL" how to get parameters from that URL and match them with DB?? here is my resetpassword.php code <?php session_start(); $Login = $_GET['Login']; //echo $Login; //exit(); $customerID = $_GET['customerID']; $Login = $_SESSION[$_GET['Login']]; ?> <HTML> <HEAD> <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; CHARSET=UTF-8"> <META HTTP-EQUIV="CONTENT-SCRIPT-TYPE" CONTENT="text/javascript"> <TITLE>Password Change Form</TITLE> <script> form_submitted=false function ValidationError(form, Invalid, error_message, focus) { alert(error_message) if(form[focus].focus) form[focus].focus() } function ValidateForm(theform) { var e='There were problems with your input:\n\n', i={}, f='', r, s r=theform['newpassword'] r.className='' r=theform['confirm'] r.className='' if(!i['newpassword'] && (theform['newpassword'].value=='')) { r=theform['newpassword'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='newpassword' else e+='\n\n' e+=(i['newpassword']='==> Please enter your new password.') } if(!i['newpassword'] && ((theform['newpassword'].value.search && theform['newpassword'].value.search(new RegExp('^[a-zA-Z]','g'))==-1))) { r=theform['newpassword'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='newpassword' else e+='\n\n' e+=(i['newpassword']='==> The new password must start with a letter.') } if(!i['newpassword'] && (theform['newpassword'].value.length<) { r=theform['newpassword'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='newpassword' else e+='\n\n' e+=(i['newpassword']='==> The Password must contain atleast 8 characters.') } if(!i['newpassword'] && (theform['newpassword'].value.length>14)) { r=theform['newpassword'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='newpassword' else e+='\n\n' e+=(i['newpassword']='==> The Password must not exceed 15 characters.') } if(!i['confirm'] && (theform['confirm'].value=='')) { r=theform['confirm'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='confirm' else e+='\n\n' e+=(i['confirm']='==> Please enter your confirmation password.') } if(!i['confirm'] && (theform['confirm'].value!=theform['newpassword'].value)) { r=theform['confirm'] r.className='invalid' if(e=='There were problems with your input:\n\n') f='confirm' else e+='\n\n' e+=(i['confirm']='==> Passwords do not match.') } if(e!='There were problems with your input:\n\n') { ValidationError(theform, i, e, f) form_submitted=false return false } return true } </script> </HEAD> <body BGCOLOR="#FFFFFF" TEXT="#252525" VLINK="#990000" ALINK="#990000" LINK="#990000" onload="document.forms['changepassword']['password'].focus()" > <BR> <TABLE WIDTH="770" BORDER="0" CELLSPACING="2" CELLPADDING="4" ALIGN="CENTER" > <TR> <TD> <P CLASS="headerbanner"> Password Change Form </P> <FORM NAME="changepassword" METHOD="POST" ACTION="updatepassword.php" onsubmit="return ValidateForm(this)"> <TABLE CELLPADDING="2" ALIGN="CENTER" SUMMARY="Secondary table holds input fields and buttons" > <TR> <TD CLASS="text"> <SPAN STYLE="font-weight: bold;" > New Password: </SPAN> <BR> <INPUT TYPE="PASSWORD" CLASS="password" NAME="newpassword" MAXLENGTH="15" SIZE="30"> </TD> </TR> <TR> <TD CLASS="text"> <SPAN STYLE="font-weight: bold;"> Confirm New Password: </SPAN> <BR> <INPUT TYPE="PASSWORD" NAME="confirm" MAXLENGTH="15" SIZE="30"> </TD> </TR> </TABLE> <BR> <CENTER> <button type="submit" align="center" OnMouseover="window.status='Change Password';return true;" OnMouseout="window.status=' ';"/><img src="http://localhost/MyDreamProject/images/pwd.gif" alt=""/> Save Password-></button> <button type="reset" align="center" OnMouseover="window.status='Refresh Page';return true;" OnMouseout="window.status=' ';"/><img src="http://localhost/MyDreamProject/images/refresh.png" alt=""/> Reset</button> </CENTER> </TD> </TR> </FORM> </TABLE> <div id='DetachDiv' height=0 width=0 frameborder=0></div> </BODY> </HTML> here is my update password.php code: <?php session_start(); $Login = $_GET['Login']; //echo $Login; //exit(); //Connect to mysql server $link=mysql_connect("localhost","root",""); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db=mysql_select_db("blackerdread"); if(!$db) { die("Unable to select database"); } if(!get_magic_quotes_gpc()) { $Login = stripslashes($_POST['Login']); $row['customerID'] = stripslashes($_POST[$row['customerID']]); $newpassword = stripslashes($_POST['newpassword']); $confirm = stripslashes($_POST['confirm']); }else{ $Login = $_POST['Login']; $row['customerID'] = $_POST[$row['customerID']]; $newpassword = $_POST['newpassword']; $confirm = $_POST['confirm']; } $encrypt1 = base64_encode($newpassword); //echo $encrypt1; //$decode = base64_decode($encrypt1); //echo $decode; //exit(); $key = $_POST['key']; $query1 = "select Login FROM ss_customers WHERE key='".$_SESSION['key']."' and Login='".$Login."'"; $result = mysql_query($query); if($newpassword == $confirm) { $query = "UPDATE ss_customers Set cust_password='$encrypt1' where Login='".$Login."'"; $result = mysql_query($query); //echo $query; //exit(); //update the password in the session so you don't have to logoff //$_SESSION["password"] = $encrypt1; //echo an confirm. echo "password updated"; exit; } else{ echo "passwords do not match! please try again"; exit; } ?> imy task will be completed if i can match URL's login with the DB login and URL's key with DB's key.. can you please suggest me.. many thanks for the comeback.. Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/#findComment-797769 Share on other sites More sharing options...
pavanpuligandla Posted April 1, 2009 Author Share Posted April 1, 2009 hii scott.. thanks for your help.. it is working now.. but the only problem is with my INSERT query, in which i'm trying to insert a randomly generated KEY into the DB against a particular USER and send it via an URL.. when user clicked that link, i need to perform 2 validations there by getting URL parameters, LOGINID and KEY with the DB records.. can you please suggest me how can do this? please let me know can we add a single column for an existing table and insert a value into it? presently my INSERT query is like this.. $key = substr(base64_encode(crypt('', '')), 0, 32); $key = mysql_real_escape_string($key); $query1="INSERT INTO ss_customers (key) VALUES ('{$key}') WHERE customerID='".$_SESSION['customerID'] ."'"; $result1=mysql_query($query1); //echo $query; //exit(); i tried many times, but the key is not being inserted into the DB against a particluar ROW. what i need to do is, after inserting a key into the DB, send an URL to user's email, then match DB's LOGIN ID and KEY with URL GET paramaeters, if both are same then update password else Invalid LINK.. please do suggest me.. many thanks.. Link to comment https://forums.phpfreaks.com/topic/151702-reset-forgot-password-using-php/#findComment-798481 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.