Password reset?

[Boxerman]

Hi guys,

 

Im making my own login script, and i am stuck (to the point i dont have any idea) on creating a password reset, i've got the basic form, but as the password is encoded.

 

My aim is so that when a user has forgotten their password they can click forgotten password and it will create a new password 8 letter/numbers long and insert it into there database and it will also email that password to them?

 

Can someone please point me in the right direction?

 

Thanks!

J

[Himself12794]

I'm not a php expert either, but I've written a code that seems to do trick (with help of others from this forum).

Here's what I use on the data processing page named reset-exec.php:

<?php

//Start session
    session_start();

    //Include database connection details
    require_once('../include/config.php');

    //Connect to mysql server
    if(!mysql_connect(DB_HOST, DB_USER, DB_PASSWORD))
    {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    if(!mysql_select_db(DB_DATABASE))
    {
        die('Unable to select database: ' . mysql_error());
    }

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str)
    {
        if(get_magic_quotes_gpc())
        {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string(trim($str));
    }
       //Generates random password
function genRandomString() {
           $length = 8;
           $characters = ’0123456789abcdefghijklmnopqrstuvwxyz’;
           $string = '';    
           for ($p = 0; $p < $length; $p++) {
               $string .= $characters[mt_rand(0, strlen($characters))];
           }
           return $string;
        }

   	//Array to store errors
    $errmsg_arr = array();

    //Get form values and clean them
    $login = clean($_POST['login']);
    $email = clean($_POST['email']);
    $newpassword = genRandomString();

    //Input Validations
    if(empty($login))
    {
        $errmsg_arr[] = 'Login ID missing';
    }
    if(empty($email))
    {
        $errmsg_arr[] = 'Email missing';
    }

    //Attempt to set new password value (only run if no previous errors)
    if(count($errmsg_arr)==0)
    {
        $pwHash = md5($newpassword);
        $qry = "UPDATE members
                SET passwd='$pwHash'
                WHERE login='$login' AND email='$email'";
        $result = mysql_query($qry);
        if(!$result)
        {
            die("Error running query: " . mysql_error());
        }
   
        //If there were no affected rows then there was not matching value
        if(mysql_affected_rows()==0)
        {
            $errmsg_arr[] = 'That Login ID and/or Email do not exsist. Are you trying to register?';
        }
        else
        {
            //Password was updated, send new password email.
            $to      = $email;
            $subject = "New Password";
            $message = "New password.\r\r
                        You, or someone using your email address, has requested a new password. Here is your current information.\r\r
                        Login: $login\r\r
                        New Password: $newpassword\r\r
                        Regards, me";
            $headers = "From: [email protected]\r\n" .
                       "Reply-To: [email protected]\r\n" . 
                       "X-Mailer: PHP/" . phpversion();
            if(!mail($to, $subject, $message, $headers))
            {
                $errmsg_arr[] = 'There was a problem sending the email';
            }
        }
    }

    //If there are errors, redirect back to the login form
    if(count($errmsg_arr)>0)
    {
	$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
	session_write_close();
	header("location: index.php");
	exit();
}

    //There were no errors
    header("location: reset-success.php");
exit();
?>

Here's the reset form:

<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Reset Password</title>
<link href="../css/loginmodule.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
	echo '<ul class="err">';
	foreach($_SESSION['ERRMSG_ARR'] as $msg) {
		echo '<li>',$msg,'</li>'; 
	}
	echo '</ul>';
	unset($_SESSION['ERRMSG_ARR']);
}
?>
<form id="resetForm" name="resetForm" method="post" action="reset-exec.php">
		  <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
		    <tr>

		      <td width="112"><b>Username</b></td>
		      <td width="188"><input name="login" type="text" class="textfield" id="login" /></td>
		    </tr>
		    <tr>
		      <td><b>Email you registered with.</b></td>
		      <td><input name="email" type="text" class="textfield" id="email" /></td>
		    </tr>
		    <tr>

		      <td> </td>
		      <td><input type="submit" name="Submit" value="Reset" /></td>
		    </tr>
		  </table>
		</form></body>
</html>

That's what I use and it works for me. If there are any problems, let me know.