Update new password in database ?

[coop]

Hi all,

 

I'm having real problems with this code that creates a new password for a customers account and then emails it to them (if they have forotten there password when loggin in 0).

 

The code tests if the email is in the database which seem to work fine, then generates a random 7 character password which works, and then emails this to the email which also works. The problem is it's not being updated in the database. This has been driving me med all day so any help would be much appreicated.

 

The code uses a database class that acts the same as the mysqli class.

 

[pre]

<?php
require_once('database.php');
require('phpmailer/class.phpmailer.php');
if (!get_magic_quotes_gpc()) {
  foreach($_POST as $key=>$value) {
    $temp = addslashes($value);
    $_POST[$key] = $temp;
    }
  }

$db = new Database('localhost','root','root','Test');
$sql = 'SELECT * FROM Customers WHERE userMail = "'.$_POST['user_Mail'].'"';
$result = $db->query($sql);
$numRows = $result->num_rows;
if($numRows < 1){
$noEmail = 'That email is not in the database.';
echo 'notHere=y&message='.urlencode($noEmail);
}else{
$row = $result->fetch_assoc();
$username = $row["userName"];
//echo $username;
$rand_string = '';
   for($a=0;$a<7;$a++){
      do{
        $newrand = chr(rand(0,256));
      } while(!eregi("^[a-z0-9]$",$newrand));
      $rand_string .= $newrand;
   }
   $pwd_to_insert = md5($rand_string);
   $sqlUpdate = 'UPDATE Customers SET userPassword = "$pwd_to_insert" 
							 WHERE userName = "$username" AND userMail = "'.$_POST['user_Mail'].'"';						
	$mail = new PHPMailer();
	$mail->IsSMTP(); 
	$mail->Host = "smtp.mysite.com"; 
	$mail->Mailer = "smtp";
	$mail->From = "sales@mysite.co.uk";
	$mail->AddAddress("me@mysite.com");
	$mail->Subject = "Login password";
	$mail->Body = "\n\n\n\nYou requeted that a new password be sent to ".$_POST['user_Mail']."\n\n"."User Name : ".$username."\n\nYour new password is : ".$rand_string."\n\n\n\nIf you have further problems please contact the mysite support staff.";
	$mail->WordWrap = 50;
	if(!$mail->Send()){
		$noEmail = 'Email not sent';
		echo 'Mailer Error: ' . $mail->ErrorInfo;
	}else{
		$emailSent = 'Email sent';
		echo 'email=y&message'.urlencode($emailSent);
	}	
}
?>

[/pre]

[recklessgeneral]

Hi coop,

 

You'll have to break out of the quotes in your sqlUpdate string to substitute the values for username and password, like so:

 

$sqlUpdate = 'UPDATE Customers SET userPassword = "' . $pwd_to_insert . '" WHERE userName = "' . $username . '" AND userMail = "'.$_POST['user_Mail'].'"';	

 

By using single quotes for your literal string, the variables are not expanded unlike double-quoted strings.

 

Cheers,

Darren.

[coop]

Thanks Darren,

 

Could you explain why this works - I'm newish to php and some things aren't making sense.

I know the difference with single and double quotes - if it's double quotes the value of the variable is parsed, but here you have " ' ' " - single quotes within double quotes.

 

Thanks for you time.

 

c.

[Jessica]

Not really. He has double quotes inside the string. It's how to make a string inside a string basically, for SQL.

I would do it this way:

$sqlUpdate = "UPDATE Customers SET userPassword = '$pwd_to_insert' WHERE userName = '$username' AND userMail = '".$_POST['user_Mail']."'";	

 

It's the same thing.