reset users password

[jesushax]

im trying to resset a users password to password if they forget it

 

im going wrong somewhere though

 

include($_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php');

switch(@$_GET["action"]) {

Case "lostpass":

$Email =  mysql_real_escape_string($_POST["txtEmailAddress"]);

$sql = mysql_query("SELECT UserID FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error());

$rspass = mysql_fetch_array($sql);

$ID = $rspass["UserID"];

mysql_query("UPDATE tblUsers SET UserPassword='". md5("password")." WHERE UserID='".$ID."'") or die(mysql_error());

 

is there a way i can set a users password to a random word then get that word emailed to them?

 

CHeers

[lordfrikk]

What about this?

 

<?php 

/** 
* The letter l (lowercase L) and the number 1 
* have been removed, as they can be mistaken 
* for each other. 
*/ 

function createRandomPassword() { 

    $chars = "abcdefghijkmnopqrstuvwxyz023456789"; 
    srand((double)microtime()*1000000); 
    $i = 0; 
    $pass = '' ; 

    while ($i <= 7) { 
        $num = rand() % 33; 
        $tmp = substr($chars, $num, 1); 
        $pass = $pass . $tmp; 
        $i++; 
    } 

    return $pass; 

} 

// Usage 
$password = createRandomPassword(); 
echo "Your random password is: $password"; 

?> 

[jesushax]

i have this altogther now

 

<?php

include($_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php');

switch(@$_GET["action"]) {

Case "lostpass":

function createRandomPassword() { 

    $chars = "abcdefghijkmnopqrstuvwxyz023456789"; 
    srand((double)microtime()*1000000); 
    $i = 0; 
    $pass = '' ; 

    while ($i <= 7) { 
        $num = rand() % 33; 
        $tmp = substr($chars, $num, 1); 
        $pass = $pass . $tmp; 
        $i++; 
    } 

    return $pass; 

} //end

$Email =  mysql_real_escape_string($_POST["txtEmailAddress"]);

$sql = mysql_query("SELECT UserID FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error());

$rspass = mysql_fetch_array($sql);

$ID = $rspass["UserID"];

$password = createRandomPassword(); 

$Newpass = md5($password);

mysql_query("UPDATE tblUsers SET UserPassword='".$Newpass." WHERE UserID='".$ID."'") or die(mysql_error());

// Usage 
echo "Your random password is: $password"; 

break;

default:
?>
<form name="lostpass" method="post" action="?action=lostpass">
<p>
Your Email Address:<input name="txtEmailAddress" type="text" size="30"><br /> 
<input name="" type="submit" value="Send Password">
</p>
</form>
<p><a href="/includes/login_form.php class="lbOn"">Back to login form</a></p>

<p><a href="#" class="lbAction" rel="deactivate">Close / Cancel</a></p>
<?php
break;
}
?>

 

and this error message

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2'' at line 1

 

ideas?

 

cheers

[conker87]

Line one is what?

[helraizer]

Something like:

 

<?php

switch(@$_GET["action"]) {

Case "lostpass":

$Email =  mysql_real_escape_string($_POST["txtEmailAddress"]);

$words =array('word', 'word1', 'word2','word3'); //etc..

$count = count($words); //counts how many elements are in the array

$rand= rand(0, $count); //random number between 0 and the number produced by $count

$rand_word = $words[$rand];


$sql = mysql_query("SELECT UserID, UserName FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error());

$rspass = mysql_fetch_array($sql);

$ID = $rspass["UserID"];

mysql_query("UPDATE tblUsers SET UserPassword='". md5($rand_word)." WHERE UserID='".$ID."'") or die(mysql_error());

$sql_a = "SELECT * FROM tblUsers WHERE UserID='$ID'";
$result = mysql_query($sql_a);
$row = mysql_fetch_array($result);

$name = $row['UserName'];
$pass = $row['UserPassword'];
$email = $row['UserName'];

$to = $name . "<" . $email . ">";
$headers = 'From: email@mysite.co.uk' . "\r\n" .
        'Reply-To: replyto@mysite.co.uk';
$subject = "Lost Password"
$body = <<<EMAIL

Welcome $name, please take note of your new login details. Your password has been reset, you can change it again when you login.

Username: $name
Password: $pass

Thank you, 
Team

EMAIL;

mail($to, $subject, $body, $headers);


?>

 

This will email them the random password.

 

the problem with your SQL is most likely in

 

mysql_query("UPDATE tblUsers SET UserPassword='".$Newpass." WHERE UserID='".$ID."'") or die(mysql_error());

 

leave the first sql statement and the second one to 'or die("Error in sql part 2: ".mysql_error());', which will tell you which one is giving the error

[discomatt]

DO NOT use the random word example for user passwords. The x random character one is so much more secure and makes more sense.

 

This is why many programmers use the syntax

 

$q = "SELECT $set FROM $table WHERE `id`='$id'";
$r = mysql_query($q);

 

If anything goes wrong with the query, you can just echo $q and find out exactly whats being sent to mysql.

 

Try doing this and let us know what $q outputs.

[jesushax]

no that doesnt work either same error message as before

 

it says near line 1 but line 1 isnt even sql

 

the near 2 thing is the user id though

 

i know the users id im trying to change is 2 and it says near 2 so somethings going wrong there...

[jesushax]

i dont know wha tyou mean with your example discomatt.. :S

[soycharliente]

My $0.02

 

I don't like giving users new passwords. I don't know why, but creating a random password for them and emailing it to them just rubs me the wrong way.

 

This is what I do:

There's a link near the login form indicating something about a lost/forgotten password. The user clicks that and must enter the email address associated with the account (which only them should know). The next step is for them to answer their secret question with their secret answer (which they provided upon registering for an account). If the answer is correct, an email is sent to them with a link to update their password. The link takes them to a page that immediately will update their password by displaying a new password input field and re-enter new password input field. The link from the email is formatted with some parameters that are a hash of the users email address, last login, and a salt. The resetpass page queries the database looking for any user where the hash of their email, last login, and a salt match the hash from the link. All the information that is found is put into hidden fields (which user id to update once the form has been filled out, etc.) so it's easy to update the password in the database. Upon updating the password you also log the user into the site and update the last login so that the link in their email isn't valid anymore. For the last login I use the datetime field so that it will be specific down to the second so no duplicates can occur.

 

I know that's a lot of work to create and I'm sure changing your website isn't something you're jumping at the chance to do. Again, this is just my $0.02 because of the reasons I said at the top.

[BlueSkyIS]

UserPassword isn't completely quoted in your SQL.

[lordfrikk]

My $0.02

 

(...)

 

Yes, that's preferable way, I'm using it too.

[soycharliente]

UserPassword isn't completed quoted in your SQL.

 

Correct.

This line:

mysql_query("UPDATE tblUsers SET UserPassword='". md5($rand_word)." WHERE UserID='".$ID."'") or die(mysql_error());

 

To be:

mysql_query("UPDATE `tblUsers` SET `UserPassword`='". md5($rand_word)."' WHERE `UserID`='".$ID."'") or die(mysql_error());

[jesushax]

hmmm i like the secret question idea...

 

so i get them to answer the question

 

then send them to a change password page

 

sounds like a plan, about an hours work but i like it...

 

cheers

 

 

[soycharliente]

It took me a few days to get it working right. I'd be glad to help you with specific questions once you've begun working on it if you're really going to try and do that.