forgot password help

[ianhaney]

In my login.php file I got a forgot password text field as well so the user can put their email address in and have a email sent containing their password

 

But am getting the following error and have no idea why

 

Login Failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' WHERE 'username' ='.'' at line 1

 

Any ideas

 

Thank you in advance

 

Ian

[White_Lily]

Can you post the code associated with the forgotten password.

[ianhaney]

Hi white lily you ok

 

Yeah sure it is below

 

<div id="forgotpw">
Forgot Password - use form below to reset the password
<br>
<form name="forgot" method="post" action="<?php $_SERVER['PHP_SELF'];?>"> 
<p><label for="email">Email:</label> 
<input name="email" type="text" value="<?=$email; ?>" size="25"/> 
</p> 
<input type="submit" name="submit" value="submit"/> 
<input type="reset" name="reset" value="reset"/> 
</form> 
</div>

 

AND THIS AS WELL I THINK

 

$row=mysql_fetch_array($query); 
$password=$row["password"]; 
$email=$row["email"]; 
$subject="your password"; 
$header="from:noreply@cptevents4.co.uk"; 
$content="your password is $password"; 
mail($email, $subject, $row, $header); 
print "An email containing the password has been sent to you"; 
   } 
else  
   { 
   echo("no such login in the system. please try again."); 
   } 

[White_Lily]

at the end of all your queries within your code, put:

 

or die(mysql_error());

 

Also try this:

 

print_r($queryVariable);

EDIT: make sure the values of this output are what you expect, if not then there is a problem with your query.

 

PS: Something that MIGHT also create this error "illegal characters" for MySQL, so you could try escaping all inputs with:

 

mysql_real_escape_string();

Edited January 27, 2013 by White_Lily

[Christian F.]

I strongly recommend that you read this article about secure login systems, you should never store passwords in clear text in your database.

 

If you want a reason why: Just search the net for "password leak", and then reflect on how many sites you're using the same e-mail/username and password combination on.

[ianhaney]

I thought it was all secured by hash and salt etc as when I look in the database, they passwords are all mixed up with letters and numbers

Edited January 27, 2013 by ianhaney

[Christian F.]

This bit of code tells a different story:

$row=mysql_fetch_array($query); 
$password=$row["password"]; 

 

If you properly hashed and salted a password, it would be impossible to get back the original password. Hashing is a one-way operation, after all. Meaning that you'd have to generate a completely new and random password for the users, if they forgot their original password. (Or send them a password reset link, which they could use to set a new password.)

 

Though, if the password appears to be hashed in the DB, it may very well just have been encrypted using MySQL ENCRYPT() function. Which pretty much exactly the same as storing it in clear text.

[ianhaney]

I might see if there is a better login and registration system then with salting and hashing properly with a forget password feature as well