email activation URL the same when key removed

[shoebox]

Hi,

 

I have a reset password script that sends a user a link when they complete a 'forgot password' page; they enter their email & validate a captcha image then I send them an email with a unique confirmation code & a link like:

 

$pwdLink = 'http://localhost/myProject/changePassword.php?email='.$email.'&'.key=$actKey;

 

so when they click it, it goes to a browser correctly as : 'http://localhost/myProject/[email protected]&key=32847238974892374982

 

but in the browser I can delete all the stuff just to leave: http://localhost/myProject/changePassword.php and I'm on the same page!

any ideas?

 

Thanks

 

SB

[cags]

Hard to say without seeing the code, but changePassword.php should only send you to / output the page if the $_GET variables both exists and both match.

[dstar101]

I use this method for the following Database

CREATE TABLE logins (
id TINYINT UNSIGNED NOT NULL AUTO_INCREMENT,
email VARCHAR(55) NOT NULL,
username VARCHAR(16) NOT NULL,
pswd CHAR(32) NOT NULL,
hash CHAR(32) NOT NULL,
PRIMARY KEY(id));

hope it helps

<?php
// Create unique identifier
$id = md5(uniqid(rand(),1));
// User's email address
$address = $_POST[email];
// Set user's hash field to a unique id
$query = "UPDATE logins SET hash='$id' WHERE email='$address'";
$result = mysql_query($query);
$email = <<< email
Dear user,
Click on the following link to reset your password:
http://www.example.com/users/lostpassword.php?id=$id
email;
// Email user password reset options
mail($address,"Password recovery","$email","FROM:[email protected]");
echo "<p>Instructions regarding resetting your password have been sent to
$address</p>";
?>

 

<?php
// Create a pseudorandom password five characters in length
$pswd = substr(md5(uniqid(rand())),5);
// User's hash value
$id = $_GET[id];
// Update the user table with the new password
$query = "UPDATE logins SET pswd='$pswd' WHERE hash='$id'";
$result = mysql_query($query);
// Display the new password
echo "<p>Your password has been reset to $pswd.</p>";
?>

[shoebox]

Hi,

 

I think the problem is with not having GET variables; I'm not sure where to have them either, I use 3 files, I'll paste the important parts in here.

 

<<forgotPassword.php>>

....
<div id="page">
<h1 style="text-align:center;margin-left:auto;margin-right:auto;">Forgotten Password</h1>
<h2>Please enter your email address below & check your mail for instructions</h2>
<br />
<br />
</div>

<?php 
session_start();

if( isset($_POST['submit'])) {
   if( $_SESSION['security_code'] == $_POST['security_code'] && !empty($_SESSION['security_code'] ) ) {
	// Insert you code for processing the form here, e.g emailing the submission, entering it into a database. 
	echo 'Thank you. Your message said "'.$_POST['message'].'"';
	unset($_SESSION['security_code']);
   } else {
	// Insert your code for showing an error message here
	echo 'Sorry, you have provided an invalid security code';
   }
} else {
?>

<form method="post" action="sendEmailAddress.php">

  <div id="container">

  <div id="main">
  Email: <input type="text" name="email" id="email" /><br />
  <br />
  <br />
<img src="CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />
	<label for="security_code">Enter security code above: </label><input id="security_code" name="security_code" type="text" />  
<br></br>
<br></br>
<input type="submit" value="Submit" name="submit" id="submit" /> 
....

 

<<sendEmailAddress.php>>

if (isset ( $_POST ['submit'] )) {
if ($_SESSION ['security_code'] == $_POST ['security_code'] && ! empty ( $_SESSION ['security_code'] )) {
	$email = $_POST ['email'];

	$site_owners_email = '[email protected]'; // Replace this with your own email address
	$site_owners_name = 'ME; // replace with your name
	$key=2314123;
	$pwdLink = 'http://localhost/secureLotto/changePassword.php?email='.$email.'&'.$key=$key;		

	if (! preg_match ( '/^[a-z0-9&\'\.\-_\+]+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*+[a-z]{2}/is', $email )) {
		$error ['email'] = "Please enter a valid email address";
	}

	if (! $error) {
		$mailResult = mysql_query ( "SELECT confirm_code FROM members WHERE email='$email'" );
		if ($mailResult) {
			if (mysql_num_rows ( $mailResult ) == 1) {
				$crap = mysql_result ( $mailResult, 0 );
			} 

			else {
				//Login failed
				header ( "location: changePassword-failed.php" );
				exit ();
			}
		} else {
			die ( "Query failed" );
		}

		require_once ('phpMailer/class.phpmailer.php');
		$mail = new PHPMailer ();
		$mail->IsSMTP ();
		$mail->Host = 'ssl://smtp.gmail.com:465';
		$mail->SMTPAuth = TRUE;
		$mail->Username = "[email protected]"; // SMTP username
		$mail->Password = "********"; // SMTP password

		$mail->FromName = 'me';
		$mail->From = $email;
		$mail->Subject = "Forgotten Password";
		$mail->AddAddress ( $site_owners_email, $site_owners_name );
		$mail->AddAddress ( $email,$name);

		$mail->Body = 'Please follow this link ' .$pwdLink .' and enter this conformation code ' . $crap;

		$mail->Send ();

		echo "<h2 class='success'> Thanks, an email has to sent to " . $email . ". please follow the instructions </h2><h2>(it may be in your spam folder)</h2>";

	} # end if no error

 

<<changePassword.php>>

...
<form id="changePasswordForm" name="changePasswordForm" method="post"
action="changePassword-exec.php">
<input type="hidden" name="md5Pass" value="" />
<input type="hidden" name="md5CPass" value="" />
<table width="300" border="0" align="center" cellpadding="2"
cellspacing="0">
 <tr>
	<th width="124">Email</th>
	<td width="168"><input name="email" type="text" class="textfield"
		id="email" /></td>
</tr>
<tr>
	<th width="124">Confirmation Code</th>
	<td width="168"><input name="code" type="text" class="textfield"
		id="code" /></td>
</tr>
<tr>
	<th>New Password</th>
	<td><input name="password" type="password" class="textfield"
		id="password" onKeyUp="checkPassword(this.value)" /></td>
...

 

any help would be appreciated to tell me where to place the GET variables & reset the link if a user changes it(see first post)

 

thanks,

 

SB