Jump to content

php password email

ianhaney

By ianhaney
in PHP Coding Help

 Share

Recommended Posts

ianhaney Advanced Member

ianhaney

Posted
Posted

Hi

 

I know it is not the best way to do it but just want to get it working for the time being

 

I want the user to enter their email address and have their password sent to their email address if they forget it

 

I have the following so far

<form method="post" action="forgot-password.php" class="signup">
<label>Email Address: <input name="username" type="text" /></label>
<br />
<input type="submit" name="submit" value="submit" id="submit" />
</form>

<?php

$con = mysqli_connect("","","","");

// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  
 if(isset($_POST['submit']))
 {
  $mail=$_POST['username'];
  $q="select * password from affiliates where username='".$mail."'";
  
  $res=mysqli_fetch_assoc($con, $q);
  $password=$res['password'];
  $msg='Your password is '.$password;
  $sub='Send password';
  $header='From: noreply@it-doneright.co.uk';
  $m=mail($mail,$sub,$msg,$header);
  if($m)
  {
   echo'check your mail';
  }
 }
 
?>

I have probably made some mistakes with the code in relation to mysql and mysqli but am trying to get it working and doing my best before I wanted to post here

 

That code sends the email but the password is blank, it just says within the email Your password:

 

On the page, I have the following error

 

Notice: Undefined variable: res in /home/sites/it-doneright.co.uk/public_html/forgot-password.php on line 51
NULL
Warning: mysqli_fetch_assoc() expects exactly 1 parameter, 2 given in /home/sites/it-doneright.co.uk/public_html/forgot-password.php on line 53
check your mail - SO IS SENDING THE MAIL

Link to comment
Share on other sites
maxxd Prolific Member

maxxd

Posted
Posted

Not even looking at the code, your setup is seriously flawed. If you're storing the password in the database as plaintext, stop doing that. The password should be hashed before storing in the database, which means you couldn't e-mail the user's current password to them. I mean, you could, but they'd have to decrypt it before they could use it to log in. That's the point - if your database is compromised, the hackers won't have access to plaintext passwords.

 

As for the actual error message you're receiving, you've got a syntax error in your SQL.

Link to comment
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted

As maxxd mentioned, your SQL qurey has a syntax error. Your selecting all columns (*) and the password column. Your query needs a comma

$q="select *, password from affiliates where username='".$mail."'";

Or since you're only using the password column, you could remove the asterisk.

$q="select password from affiliates where username='".$mail."'";

Also note that you need to run the query through mysqli_query() before you can use mysqli_fetch_assoc(). More information can be found here:

http://php.net/manual/en/mysqli.query.php

 

 

Side note: your query is vulnerable to SQL injection attacks. If you're not doing so already, you should look into creating Prepared Statements or at least use mysqli_real_escape_string().

 

And if you need more information about password hashing, the following may help:

http://php.net/manual/en/faq.passwords.php

Link to comment
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted (edited)

Hi maxxd

 

The password is hashed in the database as read is never good idea to store passwords as plain text for security reasons so have hashed it and that side is all ok

 

Sending a hashed password isn't going to be very useful for the person requesting their password. You'll need to generate a new random password and send them a plain-text version.

 

Or better yet, send them an email to make sure they want to reset their password. If they click on the confirmation link, you can generate the new password and send it to them.

Edited by cyberRobot
Link to comment
Share on other sites
ianhaney Advanced Member

ianhaney

Posted
  • Author
Posted

yeah sorry I saw that response, going by what the replies were, it was easier to scrap it all and start again

 

I did manage to do the reset password once and it did change in the password hashed column but didn't change the psalt column next to it so I was unable to login

Link to comment
Share on other sites
ginerjm Prolific Member

ginerjm

Posted
Posted

As previously mentioned - you should really send an email asking the user if he wants to reset his password to avoid someone hacking and causing you to make a change that the user didn't request.  Add a hidden field to the reset form that you provide the user if he responds 'Yes' to be able to detect a valid reset request from the user as opposed to the perhaps invalid request from a hacker.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.