Russia Posted December 31, 2010 Share Posted December 31, 2010 Hello I have this script that I have been getting support on on other forums and I would really love some help. What this script does is reset your password to a randomly generated one, but for security it asks you a secret question that you have to answer correctly, for it to generate a random password, update that password into the database table and then email you it. Everything works, like the security question part, finding the email works, and sending the email works. But the only part that doesnt work is the updating the table with the randomly generated password. Here is the code. <?php function checkUNEmail($uname,$email) { global $mySQL; $userID = 'X'; $error = array('status'=>false,'userID'=>0); if (isset($email) && trim($email) != '') { //email was entered if ($SQL = $mySQL->prepare("SELECT `ID` FROM `users` WHERE `Email` = ? LIMIT 1")) { $SQL->bind_param('s',trim($email)); $SQL->execute(); $SQL->store_result(); $numRows = $SQL->num_rows(); $SQL->bind_result($userID); $SQL->fetch(); $SQL->close(); if ($numRows >= 1) return array('status'=>true,'userID'=>$userID); } else { return $error; } } elseif (isset($uname) && trim($uname) != '') { //username was entered if ($SQL = $mySQL->prepare("SELECT `ID` FROM users WHERE Username = ? LIMIT 1")) { $SQL->bind_param('s',trim($uname)); $SQL->execute(); $SQL->store_result(); $numRows = $SQL->num_rows(); $SQL->bind_result($userID); $SQL->fetch(); $SQL->close(); if ($numRows >= 1) return array('status'=>true,'userID'=>$userID); } else { return $error; } } else { //nothing was entered; return $error; } } function getSecurityQuestion($userID) { global $mySQL; $questions = array(); $questions[0] = "What is your mother's maiden name?"; $questions[1] = "What city were you born in?"; $questions[2] = "What is your favorite color?"; $questions[3] = "What year did you graduate from High School?"; $questions[4] = "What was the name of your first boyfriend/girlfriend?"; $questions[5] = "What is your favorite model of car?"; if ($SQL = $mySQL->prepare("SELECT `secQ` FROM `users` WHERE `ID` = ? LIMIT 1")) { $SQL->bind_param('i',$userID); $SQL->execute(); $SQL->store_result(); $SQL->bind_result($secQ); $SQL->fetch(); $SQL->close(); return $questions[$secQ]; } else { return false; } } function checkSecAnswer($userID,$answer) { global $mySQL; if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1")) { $answer = strtolower($answer); $SQL->bind_param('is',$userID,$answer); $SQL->execute(); $SQL->store_result(); $numRows = $SQL->num_rows(); $SQL->close(); if ($numRows >= 1) { return true; } } else { return false; } } function sendPasswordEmail($userID) { global $mySQL; changePassword($userID); if ($SQL = $mySQL->prepare("SELECT `Username`,`Email`,`Password` FROM `users` WHERE `ID` = ? LIMIT 1")) { $SQL->bind_param('i',$userID); $SQL->execute(); $SQL->store_result(); $SQL->bind_result($uname,$email,$password); $SQL->fetch(); $SQL->close(); $message = "Dear $uname,\r\n"; $message .= "Here is your requested lost password for your account at our site:\r\n"; $message .= "-----------------------\r\n"; $message .= "$password\r\n"; $message .= "-----------------------\r\n"; $message .= "Our login page: <a href=\"login.php\">http://www.oursite.com/login.php</a>\r\n\r\n"; $message .= "Thanks,\r\n"; $message .= "-- Our site team"; $headers .= "From: Our Site <[email protected]> \n"; $headers .= "To-Sender: \n"; $headers .= "X-Mailer: PHP\n"; // mailer $headers .= "Reply-To: [email protected]\n"; // Reply address $headers .= "Return-Path: [email protected]\n"; //Return Path for errors $headers .= "Content-Type: text/html; charset=iso-8859-1"; //Enc-type $subject = "Your Lost Password"; @mail($email,$subject,$message,$headers); return str_replace("\r\n","<br/ >",$message); } } function genRandomString() { $length = 10; $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; $string = ''; for ($p = 0; $p < $length; $p++) { $string .= $characters[mt_rand(0, strlen($characters))]; } return $string; } function changePassword($userID){ global $mySQL; $password = genRandomString(); $SQL = $mySQL->prepare('UPDATE `users` SET `Password`="'.$password.'" WHERE `ID`="?" LIMIT 1'); $SQL->bind_param('s',$password); $SQL->bind_param('i',$userID); $SQL->execute(); return $password; } ?> The last 2 functions in the code are where the passwords are supposed to get changed and updated in the table, but it doesn't work... Can anyone help me out please Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/ Share on other sites More sharing options...
Psycho Posted December 31, 2010 Share Posted December 31, 2010 All you have posted is a bunch of functions. Where is the code that calls those functions? You have a function changePassword() that generates the temp password. You state that the email is being sent. Since you don't state that the email does not have the temp password I will assume that it does. That means the function changePassword() is apparently getting called and providing that temp password. So, I'm guessing the query is failing - or more specifically it is not finding any matching records to update. You need to validate that you are passing the proper UserID to the function. Also, I have not made the switch to prepared statements, but I do see something different about that query. In the other queries you just used the question mark by itself to identify the parameter value. But, in the query for the changePassword() function you enclose it in double quotes. I have a feeling that is the problem. Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153338 Share on other sites More sharing options...
Russia Posted December 31, 2010 Author Share Posted December 31, 2010 So what would be the code you think would allow this script to work? You are a GURU after all and your reasoning is very valid. I appreciate the help. Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153339 Share on other sites More sharing options...
Russia Posted December 31, 2010 Author Share Posted December 31, 2010 By any chance, can you take out the parts that say PREPARED statements, maybe that might be the problem.. Is there any way to recode this to take those parts away? Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153341 Share on other sites More sharing options...
the182guy Posted December 31, 2010 Share Posted December 31, 2010 As mjdamato says, the query is not valid syntax because the prepared statement is also adding quotes in place of the question mark, so you'll end up with: WHERE `ID` = "'99'" Remove the quotes as they are not needed when using the ? in a prepped stmt. Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153342 Share on other sites More sharing options...
Russia Posted December 31, 2010 Author Share Posted December 31, 2010 Okay, so th182guy, will that problem fix my code? Please fi anyone can post the final code that would be spiffy. Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153343 Share on other sites More sharing options...
Psycho Posted December 31, 2010 Share Posted December 31, 2010 So what would be the code you think would allow this script to work? You are a GURU after all and your reasoning is very valid. Seriously? As I said I have not worked with prepared statements but I can see that there is a difference between the query in that last function and the ones used in the previous functions. I pointed out that difference to you. Can you not make the logical conclusion of what you should try? Query in first function "SELECT `ID` FROM `users` WHERE `Email` = ? LIMIT 1" Query in last function 'UPDATE `users` SET `Password`="'.$password.'" WHERE `ID`="?" LIMIT 1' Although you should also not use double quotes around the password value either. Try changing the line in that last function to $SQL = $mySQL->prepare("UPDATE `users` SET `Password`= '$password' WHERE `ID`= ? LIMIT 1"); BY the way there are many other problems in your code within the logic. For example, take this function - look at the comment I added function checkSecAnswer($userID,$answer) { global $mySQL; if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1")) { $answer = strtolower($answer); $SQL->bind_param('is',$userID,$answer); $SQL->execute(); $SQL->store_result(); $numRows = $SQL->num_rows(); $SQL->close(); return ($numRows >= 1) { return true; } //If $mySQL->prepare returns true above and $numRows == 0 // then this function will not return anything ! ! ! } else { return false; } } The function should look like this. If the $mySQL->prepare returns false or if no records are returned then the function will return false. function checkSecAnswer($userID,$answer) { global $mySQL; if ($SQL = $mySQL->prepare("SELECT `Username` FROM `users` WHERE `ID` = ? AND LOWER(`secA`) = ? LIMIT 1")) { $answer = strtolower($answer); $SQL->bind_param('is',$userID,$answer); $SQL->execute(); $SQL->store_result(); $numRows = $SQL->num_rows(); $SQL->close(); return ($numRows >= 1); } return false; } Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153344 Share on other sites More sharing options...
Russia Posted December 31, 2010 Author Share Posted December 31, 2010 I really dont understand... I am really not that smart. haha. Is there any chance u can post the final code for me? Quote Link to comment https://forums.phpfreaks.com/topic/223081-password-update-doesnt-want-to-work/#findComment-1153345 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.