Jump to content

Need help creating a Resend Password script


eldan88

Recommended Posts

Hi,

 

I am  trying to create a resend password to email script for an ecommerce script that hosts multiple stores, but can't seem to be getting any luck.

 

  The emails are being sent,  but the password values are blank.

The passwords that are stored in my database are sha1 protected, so at  first i taught the was the reason why it was shown blanks. But when I tried to retrieve the username's name, it also would not show in the email.

 

I would appreciate if you can show me what I might be doing wrong here.

 

Below is a snippet of how I wrote the code.

 

 

<?php 
function is_valid_email( $address )
{
   $rx = "^[a-z0-9\\_\\.\\-]+\\@[a-z0-9\\-]+\\.[a-z0-9\\_\\.\\-]+\\.?[a-z]{1,4}$";
   return (preg_match("~".$rx."~i", $address));
}
?>

<?php

if(isset($_POST['resend_pw'])) {
    $query = "SELECT id, store_id ";
    $query .= "FROM users ";
    $query .= "WHERE email = '{$email_to_retrieve_pw}' ";
    $query .= "LIMIT 1";
     $result_set = mysql_query($query, $connection);

if ($result_set) {
$retrieve_customers_login  = mysql_fetch_array($result_set); 
$full_name = $retrieve_customers_login['full_name'];
$found_password = $retrieve_customers_login['password'];


}// end of if (mysql_num_rows($result_set) == 1) 


else {
$message = "Bummer! We are so sorry. It seems that we can't find this email address on file ";
}

$email_to=$_POST['email_to_retrieve_pw'];

if ($email_to == "") // Email address cannot be empty
{
   $message = "Your Email Addess Has Not Enterned";
}
else
{
       if(is_valid_email($email_to)) // check the valid email address or not
               {
               $to=$email_to;
               $subject="Your  Password"; // Your subject
               // From
               $header = 'From: support@emailaddress.com' . "\r\n" .
               'Reply-To: support@emailaddress.com' . "\r\n" .
               'X-Mailer: PHP/' . phpversion();
             //add code for selecting $userid and $pass for user table for the input $email_to.

		//below is the code for password 
		$full_name;
            $found_password;

               // Your message
  $messages.=" Your Password  \r\n";
               $messages.="-------------------------------------- \r\n";
               $messages.= "Hello {$full_name} ! is your login information  is- \r\n";
               //$messages.="UserId: $userid \r\n";
      $messages.="Password: {$found_password} \r\n";
               $messages.="-------------------------------------- \r\n";
             
               // send email
               $sentmail = mail($to,$subject,$messages,$header);
             
               if($sentmail) //if your email succesfully sent
               {
                   header("Location: mail-password.php?send=Password has been sent to your email id");
               }
               else // Cannot send password to your e-mail address
               {
                   header("Location: mail-password.php?send=Not able to send email");
               }
       }
     
       else //Email address has not been found in our database
       {
           header("Location: mail-password.php?send=Email address not found");
       }
}

}// end of if(isset($_POST['resend_password'])) {

?>



 

 

Link to comment
Share on other sites

If you're one-way-hashing the user's password, there's no way to recover it. You have to generate a new one.

 

In order to debug your issue, remove the redirects, and try echo'ing out the variable that shows up empty in your email.

Link to comment
Share on other sites

If the password is SHA1() hashed, you can't send it to them anyhow. Hashing is a one-way street; the best you can do is generate a temporary password which you then send the user, and hash and store it in the database. Preferably you set a flag that also forces them to change their password on next login.

Link to comment
Share on other sites

If you're one-way-hashing the user's password, there's no way to recover it. You have to generate a new one.

 

In order to debug your issue, remove the redirects, and try echo'ing out the variable that shows up empty in your email.

 

How would I go about echoing my variables ? Thanks!

Link to comment
Share on other sites

If the password is SHA1() hashed, you can't send it to them anyhow. Hashing is a one-way street; the best you can do is generate a temporary password which you then send the user, and hash and store it in the database. Preferably you set a flag that also forces them to change their password on next login.

 

Thanks .... I understand the password part.. but how come the full name is now displayed on the email?

Link to comment
Share on other sites

please take a look at this and use it as a example, your see how it works then add what needed.

 

<?php

if (isset($_POST['submit'])){
    
    $password_unhased=$_POST['password'];
    
    $password=sha1(md5($_POST['password']));
    
    echo" hello my password is un hashed: $password_unhased";
    
    echo "<br><br>";
    
    echo " hello my password hased what in the database is: $password";
}
?>

<form method="POST" action="">

Please enter a password

<br />

<input type="password" name="password">

<br />

<input type="submit" name="submit" value="add password">

</form>

Link to comment
Share on other sites

when you send the email you send them the unscripted password

 

You never send a user their plain text password.  There's no reason for you to ever even have the plain text password. That's complete bonkers and total failure.  Users have shitty personal security and will constantly use the same passwords everywhere - even their banks.  If somebody gains access to your users' email - or worse, your database, you've failed your users' trust in security by handling plain text passwords.

 

The best way to handle passwords is to manage a salt and a hashing algorithm.  When somebody registers, a random salt is created and functionized with the form input to create a string.  When a user logs in, the process is repeated and is compared to the original. You should never store plain text password - ever!

 

If your user forgets their password, you should send them a reset link via email.  This way, if the user's email gets compromised, you're not sending anything that could further the devastation.

Link to comment
Share on other sites

Mahngiel that was a example of when a user put his/her name in on there own.

 

Mahngieli i will shock you, there are a thu websites that people use daily that keep a copy of the unrepeated password in a database and use it on a forgotten issue your be shocked how big business do silly things daily.

 

sorry but i got a password showing when my user join, i send it when they forget there password, i do advise them to change it from month to month.

 

i see what your saying i guess, because i make a admin page to auth all goings on so nothink get auth till i say so.

but in the event of a normal website and a learner i agree and sorry.

 

 

Link to comment
Share on other sites

Mahngiel that was a example of when a user put his/her name in on there own.

 

Mahngieli i will shock you, there are a thu websites that people use daily that keep a copy of the unrepeated password in a database and use it on a forgotten issue your be shocked how big business do silly things daily.

 

sorry but i got a password showing when my user join, i send it when they forget there password, i do advise them to change it from month to month.

 

i see what your saying i guess, because i make a admin page to auth all goings on so nothink get auth till i say so.

but in the event of a normal website and a learner i agree and sorry.

 

 

 

Just because big businesses do it doesn't mean it is right, or that you should do it.

 

You never ever store plaintext passwords. EVER!

 

A "forgot password" script should simply send a unique token to the user's email. The user will then use that token to create a new password. Their old password is gone and unrecoverable.

Link to comment
Share on other sites

so i lost my password .

 

I got a link for forgotten password,

 

The link gives me a box asking for my email address, when the email address is entered, i then check that email is in the database .

 

i send them a email conformation code via a link with hashed info id ect , i use there id for the database update when they use the email link.

 

they open there email and press the reset password link, it takes them to a page for them to re type a password, i also make a note of data and time they last updated there password, i set a trigger of 5 password changes then there account get ban not deleted, Then i admin contact them

 

sound ok.

Link to comment
Share on other sites

sounded good up until:

set a trigger of 5 password changes then there account get ban

 

There's no reason to do this.  People forget their passwords all the time, especially if they *try* to keep diff passwords for every site.  This is also the reason people use the same one, because some web devs make it a bitch to retrieve it. 

 

Just do what you said up until the whole banning part.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.