Jump to content

Recommended Posts

Hello I have this script that I have been getting support on on other forums and I would really love some help.

 

What this script does is reset your password to a randomly generated one, but for security it asks you a secret question that you have to answer correctly, for it to generate a random password, update that password into the database table and then email you it.

 

Everything works, like the security question part, finding the email works, and sending the email works. But the only part that doesnt work is the updating the table with the randomly generated password.

 

Here is the code.

 

<?php

function checkUNEmail($uname,$email)
{
    global $mySQL;
    $userID = 'X';
    $error = array('status'=>false,'userID'=>0);
    if (isset($email) && trim($email) != '') {
        //email was entered
        if ($SQL = $mySQL->prepare("SELECT `ID` FROM `users` WHERE `Email` = ? LIMIT 1"))
        {
            $SQL->bind_param('s',trim($email));
            $SQL->execute();
            $SQL->store_result();
            $numRows = $SQL->num_rows();
            $SQL->bind_result($userID);
            $SQL->fetch();
            $SQL->close();
            if ($numRows >= 1) return array('status'=>true,'userID'=>$userID);
        } else { return $error; }
    } elseif (isset($uname) && trim($uname) != '') {
        //username was entered
        if ($SQL = $mySQL->prepare("SELECT `ID` FROM users WHERE Username = ? LIMIT 1"))
        {
            $SQL->bind_param('s',trim($uname));
            $SQL->execute();
            $SQL->store_result();
            $numRows = $SQL->num_rows();
            $SQL->bind_result($userID);
            $SQL->fetch();
            $SQL->close();
            if ($numRows >= 1) return array('status'=>true,'userID'=>$userID);
        } else { return $error; }
    } else {
        //nothing was entered;
        return $error;
    }
}

function getSecurityQuestion($userID)
{
    global $mySQL;
    $questions = array();
    $questions[0] = "What is your mother's maiden name?";
    $questions[1] = "What city were you born in?";
    $questions[2] = "What is your favorite color?";
    $questions[3] = "What year did you graduate from High School?";
    $questions[4] = "What was the name of your first boyfriend/girlfriend?";
    $questions[5] = "What is your favorite model of car?";
    if ($SQL = $mySQL->prepare("SELECT `secQ` FROM `users` WHERE `ID` = ? LIMIT 1"))
    {
        $SQL->bind_param('i',$userID);
        $SQL->execute();
        $SQL->store_result();
        $SQL->bind_result($secQ);
        $SQL->fetch();
        $SQL->close();
        return $questions[$secQ];
    } else {
        return false;
    }
}

function checkSecAnswer($userID,$answer)
{
    global $mySQL;
    if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1"))
    {
        $answer = strtolower($answer);
        $SQL->bind_param('is',$userID,$answer);
        $SQL->execute();
        $SQL->store_result();
        $numRows = $SQL->num_rows();
        $SQL->close();
        if ($numRows >= 1) { return true; }
    } else {
        return false;
    }
}

function sendPasswordEmail($userID)
{
    global $mySQL;
    changePassword($userID);
    if ($SQL = $mySQL->prepare("SELECT `Username`,`Email`,`Password` FROM `users` WHERE `ID` = ? LIMIT 1"))
    {
        $SQL->bind_param('i',$userID);
        $SQL->execute();
        $SQL->store_result();
        $SQL->bind_result($uname,$email,$password);
        $SQL->fetch();
        $SQL->close();
        $message = "Dear $uname,\r\n";
        $message .= "Here is your requested lost password for your account at our site:\r\n";
        $message .= "-----------------------\r\n";
        $message .= "$password\r\n";
        $message .= "-----------------------\r\n";
        $message .= "Our login page: <a href=\"login.php\">http://www.oursite.com/login.php</a>\r\n\r\n";
        $message .= "Thanks,\r\n";
        $message .= "-- Our site team";
        $headers .= "From: Our Site <[email protected]> \n";
        $headers .= "To-Sender: \n";
        $headers .= "X-Mailer: PHP\n"; // mailer
        $headers .= "Reply-To: [email protected]\n"; // Reply address
        $headers .= "Return-Path: [email protected]\n"; //Return Path for errors
        $headers .= "Content-Type: text/html; charset=iso-8859-1"; //Enc-type
        $subject = "Your Lost Password";
        @mail($email,$subject,$message,$headers);
        return str_replace("\r\n","<br/ >",$message);
    }
}

function genRandomString() {
    $length = 10;
    $characters = '0123456789abcdefghijklmnopqrstuvwxyz';
    $string = '';    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters))];
    }

    return $string;
}

function changePassword($userID){
  global $mySQL;
  $password = genRandomString();
  $SQL = $mySQL->prepare('UPDATE `users` SET `Password`="'.$password.'" WHERE `ID`="?" LIMIT 1');
  $SQL->bind_param('s',$password);
  $SQL->bind_param('i',$userID);
  $SQL->execute();
  return $password;
}

?>

 

The last 2 functions in the code are where the passwords are supposed to get changed and updated in the table, but it doesn't work...

 

Can anyone help me out please :)

Link to comment
https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/
Share on other sites

All you have posted is a bunch of functions. Where is the code that calls those functions? You have a function changePassword() that generates the temp password. You state that the email is being sent. Since you don't state that the email does not have the temp password I will assume that it does. That means the function changePassword() is apparently getting called and providing that temp password. So, I'm guessing the query is failing - or more specifically it is not finding any matching records to update.

 

You need to validate that you are passing the proper UserID to the function. Also, I have not made the switch to prepared statements, but I do see something different about that query. In the other queries you just used the question mark by itself to identify the parameter value. But, in the query for the changePassword() function you enclose it in double quotes. I have a feeling that is the problem.

As mjdamato says, the query is not valid syntax because the prepared statement is also adding quotes in place of the question mark, so you'll end up with: WHERE `ID` = "'99'"

 

Remove the quotes as they are not needed when using the ? in a prepped stmt.

So what would be the code you think would allow this script to work?

 

You are a GURU after all and your reasoning is very valid.

 

Seriously? As I said I have not worked with prepared statements but I can see that there is a difference between the query in that last function and the ones used in the previous functions. I pointed out that difference to you. Can you not make the logical conclusion of what you should try?

 

Query in first function

"SELECT `ID` FROM `users` WHERE `Email` = ? LIMIT 1"

 

Query in last function

'UPDATE `users` SET `Password`="'.$password.'" WHERE `ID`="?" LIMIT 1'

 

Although you should also not use double quotes around the password value either. Try changing the line in that last function to

$SQL = $mySQL->prepare("UPDATE `users` SET `Password`= '$password' WHERE `ID`= ? LIMIT 1");

 

BY the way there are many other problems in your code within the logic. For example, take this function - look at the comment I added

function checkSecAnswer($userID,$answer)
{
    global $mySQL;
    if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1"))
    {
        $answer = strtolower($answer);
        $SQL->bind_param('is',$userID,$answer);
        $SQL->execute();
        $SQL->store_result();
        $numRows = $SQL->num_rows();
        $SQL->close();
        return ($numRows >= 1) { return true; }
        //If $mySQL->prepare returns true above and $numRows == 0
        // then this function will not return anything ! ! !
    } else {
        return false;
    }
}

 

The function should look like this. If the $mySQL->prepare returns false or if no records are returned then the function will return false.

function checkSecAnswer($userID,$answer)
{
    global $mySQL;
    if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1"))
    {
        $answer = strtolower($answer);
        $SQL->bind_param('is',$userID,$answer);
        $SQL->execute();
        $SQL->store_result();
        $numRows = $SQL->num_rows();
        $SQL->close();
        return ($numRows >= 1);
    }
    return false;
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.