Email Forgotten Password Script

[MrBafner]

A few months ago I bought a script that is used to access a members area, but now some members have forgotten their passwords and its a pain to keep retrieving them manually from the database.

 

This is the Sign-in script, which recognises the email/pass, and directs if correct or incorrect.

 

<?
if ($_SESSION['UID']) {
header('Location: index.php');
die;
}
if ($_POST) {
if ($_SESSION['UID'] = sqlr("SELECT `id` FROM `users` WHERE `email`='".addsl($_POST['email'])."' AND `password`='".addsl($_POST['password'])."'")) {
	header('Location: ?Mod=Orders');
	die;
}
else {
	$_SESSION['errors'][] = 'E-mail or password is incorrect';
	header('Location: ?Mod=SignIn');
	die;
}
}
$out = tpl_load('sign_in.html');
?>

 

 

This is the form used to sign-in

 

<h3><font color=#000000>Sign in</font></h3>
<form action="" method="post">
  <table border="0" cellspacing="10" cellpadding="0">
  <!-- %SUB show_errors% -->
    <tr>
      <td><span style="color: #FF0000;">%=error%</span></td>
    </tr>
  <!-- %ENDSUB show_errors% -->
  </table>
  <table border="0" cellspacing="10" cellpadding="0">
    <tr>
      <td>E-mail:</td>
      <td>
        <input type="text" name="email" />
      </td>
    </tr>
    <tr>
      <td>Password:</td>
      <td>
        <input type="password" name="password" />
      </td>
    </tr>
    <tr>
      <td> </td>
      <td>
        <input type="submit" name="Submit" value="Submit" />
      </td>
    </tr>
    <tr>
      <td> </td>
      <td> </td>
    </tr>
    <tr>
      <td> </td>
      <td>
        You will need to <a href="http://www.domainname.com/index.php?Mod=Registration">register</a> if not already.
      </td>
    </tr>
  </table>
</form>

 

 

 

I need to place a link on the site to retrieve forgotten password, this needs to be sent to the email address matching the email addy in the database.

 

Will I need to rewrite this script, create a new script / form, and if so... how?

[AdRock]

I don't know if this would help but it's how i reset a users password and the code beneath allows the user to change their password

 

This code resets their password using md5 and emails the user.

 

The second code will update the database with the users new chosen pass

word

<?php
session_start();  // Start Session
session_register("session");

// This is displayed if all the fields are not filled in
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";

// Convert to simple variables  
$email_address = $_POST['email_address'];

if (!isset($_POST['email_address'])) {
?>
<h2>Recover a forgotten password!</h2><hr>

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
    <p><label for="email_address">Email:</label>
    <input type="text" title="Please enter your email address" name="email_address" size="30"/></p>

    <p><label title="Reset Password">&nbsp</label>
    <input type="submit" value="Submit" class="submit-button"/></p>
</form>
<?php
}

elseif (empty($email_address)) {

    echo $empty_fields_message;

}

else {
$email_address=mysql_real_escape_string($email_address);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
if (!stristr($email_address,"@") OR !stristr($email_address,".")) {
$msg="Your email address is not correct<BR>"; 
$status= "NOTOK";}


echo "<br><br>";
if($status=="OK"){  $query="SELECT email_address,username FROM users WHERE users.email_address = '$email_address'";

$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email_address;// email is stored to a variable
if ($recs == 0) {  echo "<center><font face='Verdana' size='2' color=red><b>No Password</b><br> Sorry Your address is not there in our database . You can signup and login to use our site. <BR><BR><a href='http://www.jackgodfrey.org.uk/register'>Register</a> </center>"; exit;}

function makeRandomPassword() { 
          $salt = "abchefghjkmnpqrstuvwxyz0123456789"; 
          srand((double)microtime()*1000000);  
          $i = 0; 
          while ($i <= 7) { 
                $num = rand() % 33; 
                $tmp = substr($salt, $num, 1); 
                $pass = $pass . $tmp; 
                $i++; 
          } 
          return $pass; 
    } 

    $random_password = makeRandomPassword(); 

    $db_password = md5($random_password); 
     
    $sql = mysql_query("UPDATE users SET password='$db_password'  
                WHERE email_address='$email_address'"); 
     
    $subject = "Your password at www.yoursite.com"; 
    $message = "Hi, we have reset your password. 
     
    New Password: $random_password 
     
    http://yoursite.com/login

    Once logged in you can change your password 
     
    Thanks! 
    Site admin 
     
    This is an automated response, please do not reply!"; 
     
    mail($email_address, $subject, $message, "From: yoursite.com Webmaster<[email protected]>\n 
        X-Mailer: PHP/" . phpversion()); 
    echo "Your password has been sent! Please check your email!<br />"; 
    echo "<br><br>Click <a href='http://www.yoursite.com/login'>here</a> to login";
} 

else {echo "<center><font face='Verdana' size='2' color=red >$msg <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";}
}
?>

 

<?
session_start();
session_register("session");

//if(!isset($session['userid'])){
//echo "<center><font face='Verdana' size='2' color=red>Sorry, Please login and use this page </font></center>";
//exit;
//}

// This is displayed if all the fields are not filled in
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";

// Convert to simple variables 
$password1 = $_POST['password1']; 
$password2 = $_POST['password2'];

if (!isset($_POST['password1'])) {
?>
<h2>Change password! <? echo $_SESSION['email_address']; ?></h2><hr>
<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

    <p><label for="password1"">New password:</label>
    <input type="password" title="Please enter a password" name="password1" size="30"></p>

    <p><label for="password2">Re-enter Password:</label>
    <input type="password" title="Please re-enter password" name="password2" size="30"></p>

    <p style="stext-align:left"><label for="submit">&nbsp</label>
    <input type="submit" value="Change" class="submit-button"/></p>
</form>
<?php
}

elseif (empty($password1) || empty($password2))  {

    echo $empty_fields_message;

}

else {

include 'includes/connection.php'; 

$db_password1=md5(mysql_real_escape_string($password1));

//Setting flags for checking
$status = "OK";
$msg="";

if ( strlen($password1) < 3 or strlen($password1) > 10 ){
$msg=$msg."Password must be more than 3 characters in length and maximum 10 characters in length<BR>";
$status= "NOTOK";}					

if (strcmp( $password1,$password2 ) !=0){
$msg=$msg."Both passwords do not match<BR>";
$status= "NOTOK";}					

if($status<>"OK"){ 
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update users set password='$db_password1' where userid='$session[userid]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>". $password1;
}
}
}
?>

[MrBafner]

Thanks Adrock, this worked like a little beauty. Have it so it changes the password with a random password, just need to tweek it so it sends the email to the user.

 

Not sure why it does not recognise the following

 

    mail($email, $subject, $message, "From: yoursite.com Webmaster<[email protected]>\n

        X-Mailer: PHP/" . phpversion());

 

 

 

Thankyou for your help, definately put me in the right direction.