php password email

[ianhaney]

Hi

 

I know it is not the best way to do it but just want to get it working for the time being

 

I want the user to enter their email address and have their password sent to their email address if they forget it

 

I have the following so far

<form method="post" action="forgot-password.php" class="signup">
<label>Email Address: <input name="username" type="text" /></label>
<br />
<input type="submit" name="submit" value="submit" id="submit" />
</form>

<?php

$con = mysqli_connect("","","","");

// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  
 if(isset($_POST['submit']))
 {
  $mail=$_POST['username'];
  $q="select * password from affiliates where username='".$mail."'";
  
  $res=mysqli_fetch_assoc($con, $q);
  $password=$res['password'];
  $msg='Your password is '.$password;
  $sub='Send password';
  $header='From: noreply@it-doneright.co.uk';
  $m=mail($mail,$sub,$msg,$header);
  if($m)
  {
   echo'check your mail';
  }
 }
 
?>

I have probably made some mistakes with the code in relation to mysql and mysqli but am trying to get it working and doing my best before I wanted to post here

 

That code sends the email but the password is blank, it just says within the email Your password:

 

On the page, I have the following error

 

Notice: Undefined variable: res in /home/sites/it-doneright.co.uk/public_html/forgot-password.php on line 51
NULL
Warning: mysqli_fetch_assoc() expects exactly 1 parameter, 2 given in /home/sites/it-doneright.co.uk/public_html/forgot-password.php on line 53
check your mail - SO IS SENDING THE MAIL

[maxxd]

Not even looking at the code, your setup is seriously flawed. If you're storing the password in the database as plaintext, stop doing that. The password should be hashed before storing in the database, which means you couldn't e-mail the user's current password to them. I mean, you could, but they'd have to decrypt it before they could use it to log in. That's the point - if your database is compromised, the hackers won't have access to plaintext passwords.

 

As for the actual error message you're receiving, you've got a syntax error in your SQL.

[ianhaney]

Hi maxxd

 

The password is hashed in the database as read is never good idea to store passwords as plain text for security reasons so have hashed it and that side is all ok

[cyberRobot]

As maxxd mentioned, your SQL qurey has a syntax error. Your selecting all columns (*) and the password column. Your query needs a comma

$q="select *, password from affiliates where username='".$mail."'";

Or since you're only using the password column, you could remove the asterisk.

$q="select password from affiliates where username='".$mail."'";

Also note that you need to run the query through mysqli_query() before you can use mysqli_fetch_assoc(). More information can be found here:

http://php.net/manual/en/mysqli.query.php

 

 

Side note: your query is vulnerable to SQL injection attacks. If you're not doing so already, you should look into creating Prepared Statements or at least use mysqli_real_escape_string().

 

And if you need more information about password hashing, the following may help:

http://php.net/manual/en/faq.passwords.php

[cyberRobot]

Hi maxxd

 

The password is hashed in the database as read is never good idea to store passwords as plain text for security reasons so have hashed it and that side is all ok

 

Sending a hashed password isn't going to be very useful for the person requesting their password. You'll need to generate a new random password and send them a plain-text version.

 

Or better yet, send them an email to make sure they want to reset their password. If they click on the confirmation link, you can generate the new password and send it to them.

Edited December 7, 2015 by cyberRobot

[ianhaney]

Regarding the sql syntax error, I put the sql query in a checker and said it was ok or have I got it wrong somewhere?

[ianhaney]

Hi

 

Thank you for the replie, appreciate it

 

I think I am going to scrap the current coding and look at generating a new random password but when tried to do it, I got stuck but will give it another go

[cyberRobot]

Regarding the sql syntax error, I put the sql query in a checker and said it was ok or have I got it wrong somewhere?

 

Did you see my response above (Response #4)?

[ianhaney]

yeah sorry I saw that response, going by what the replies were, it was easier to scrap it all and start again

 

I did manage to do the reset password once and it did change in the password hashed column but didn't change the psalt column next to it so I was unable to login

[ginerjm]

As previously mentioned - you should really send an email asking the user if he wants to reset his password to avoid someone hacking and causing you to make a change that the user didn't request.  Add a hidden field to the reset form that you provide the user if he responds 'Yes' to be able to detect a valid reset request from the user as opposed to the perhaps invalid request from a hacker.