password recovery problem

[sofia403]

Hi, im having trouble with the below code which is used in case user forgets password. If i enter username and ANY email, it will send there "Username" and "Password".  off course i just want it to be sent only to existing email in db. any ideas? Thank you.

 

<?

include("fns.php");

include "config.php";

if(isset($_POST['Submit'])){

//1. Check if form fields are filled in

if(!filledin($_POST)){

header( "Location:Messages.php?msg=7" );

exit();

}

$name=$_POST['name'];

$em=$_POST['mail'];

 

//2. Check if entered name exist

 

$query="Select pw from user where uname='$name'" or die(mysql_error());

$result= mysql_query($query);

 

if(mysql_num_rows($result)>0){

for ($i=0; $i<mysql_num_rows($result); $i++) {

$row = mysql_fetch_assoc($result);

 

$pass=$row['pw'];

$to="$em\r\n";

$from="From: \r\n";

$msg="Password:$pass\r\n";

$msg .="Username:$name\r\n";

$msg .="Your login information\r\n";

$subject="re:Your Login Password\r\n";

}

}else{

header( "Location:Messages.php?msg=8" );

exit();

}

 

//4. Send password to user

if(mail($to,$subject,$msg,$from)){

header( "Location:Messages.php?msg=9&email=<?php echo $em; ?>" );

exit();

//echo "Please click here to log";

}else{

header( "Location:Messages.php?msg=10");

exit();

}

}

[anupamsaha]

Do you have an email address column in the database table? If yes, please change the SQL query as follows. I am assuming that the email address column name is "email" (please change it to actual):

 

$query="SELECT `pw` FROM `user` WHERE `uname`='$name' AND `email` = '$em'" or die(mysql_error());

[sofia403]

that worked thank you.

 

now another question this kind of query would return back the entry in the password field,  but what if i hash my passwords how would i be able to retrieve them. is there a way to decrypt it or would i need to create a reset link for a new password?

 

thanks again!

Sofia

[anupamsaha]

There is no way to decrypt a hashed password, if you encrypted it using MD5() command or so. The best way to do it to generate a random password again and send it to the user requesting the forgot password form. But, this form might be accessed by an anonymous user and the password can be changed for the concerned user. So, the ideal way that I can suggest is the following:

 

1. Creates a column called "temp_pw" (temporary password) in your database table.

2. User requests a forgot password form and enters username and email.

3. Upon successful verification, a random password is generated and store into the "temp_pw" field.

4. System sends an email to the actual user's email address with a link.

5. Actual user clicks on the link and go the page. When user clicks on the link, system will now update the "pw" (actual password) column with the value of "temp_pw" to make sure that the user receives the email and clicked on it.

 

This way a old password of the actual user will be saved in case he/she did not opted for the forgot password form.

 

Hope it helps!

[sofia403]

thanks anupamsaha, i will give it a try!

 

[anupamsaha]

Great. Let me know how it goes and if you need any further help on this.