jesushax Posted March 13, 2008 Share Posted March 13, 2008 im trying to resset a users password to password if they forget it im going wrong somewhere though include($_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php'); switch(@$_GET["action"]) { Case "lostpass": $Email = mysql_real_escape_string($_POST["txtEmailAddress"]); $sql = mysql_query("SELECT UserID FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error()); $rspass = mysql_fetch_array($sql); $ID = $rspass["UserID"]; mysql_query("UPDATE tblUsers SET UserPassword='". md5("password")." WHERE UserID='".$ID."'") or die(mysql_error()); is there a way i can set a users password to a random word then get that word emailed to them? CHeers Quote Link to comment Share on other sites More sharing options...
lordfrikk Posted March 13, 2008 Share Posted March 13, 2008 What about this? <?php /** * The letter l (lowercase L) and the number 1 * have been removed, as they can be mistaken * for each other. */ function createRandomPassword() { $chars = "abcdefghijkmnopqrstuvwxyz023456789"; srand((double)microtime()*1000000); $i = 0; $pass = '' ; while ($i <= 7) { $num = rand() % 33; $tmp = substr($chars, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; } // Usage $password = createRandomPassword(); echo "Your random password is: $password"; ?> Quote Link to comment Share on other sites More sharing options...
jesushax Posted March 13, 2008 Author Share Posted March 13, 2008 i have this altogther now <?php include($_SERVER['DOCUMENT_ROOT'] . '/includes/connection.php'); switch(@$_GET["action"]) { Case "lostpass": function createRandomPassword() { $chars = "abcdefghijkmnopqrstuvwxyz023456789"; srand((double)microtime()*1000000); $i = 0; $pass = '' ; while ($i <= 7) { $num = rand() % 33; $tmp = substr($chars, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; } //end $Email = mysql_real_escape_string($_POST["txtEmailAddress"]); $sql = mysql_query("SELECT UserID FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error()); $rspass = mysql_fetch_array($sql); $ID = $rspass["UserID"]; $password = createRandomPassword(); $Newpass = md5($password); mysql_query("UPDATE tblUsers SET UserPassword='".$Newpass." WHERE UserID='".$ID."'") or die(mysql_error()); // Usage echo "Your random password is: $password"; break; default: ?> <form name="lostpass" method="post" action="?action=lostpass"> <p> Your Email Address:<input name="txtEmailAddress" type="text" size="30"><br /> <input name="" type="submit" value="Send Password"> </p> </form> <p><a href="/includes/login_form.php class="lbOn"">Back to login form</a></p> <p><a href="#" class="lbAction" rel="deactivate">Close / Cancel</a></p> <?php break; } ?> and this error message You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2'' at line 1 ideas? cheers Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 13, 2008 Share Posted March 13, 2008 Line one is what? Quote Link to comment Share on other sites More sharing options...
helraizer Posted March 13, 2008 Share Posted March 13, 2008 Something like: <?php switch(@$_GET["action"]) { Case "lostpass": $Email = mysql_real_escape_string($_POST["txtEmailAddress"]); $words =array('word', 'word1', 'word2','word3'); //etc.. $count = count($words); //counts how many elements are in the array $rand= rand(0, $count); //random number between 0 and the number produced by $count $rand_word = $words[$rand]; $sql = mysql_query("SELECT UserID, UserName FROM tblUsers WHERE UserEmail='".$Email."' ") or die(mysql_error()); $rspass = mysql_fetch_array($sql); $ID = $rspass["UserID"]; mysql_query("UPDATE tblUsers SET UserPassword='". md5($rand_word)." WHERE UserID='".$ID."'") or die(mysql_error()); $sql_a = "SELECT * FROM tblUsers WHERE UserID='$ID'"; $result = mysql_query($sql_a); $row = mysql_fetch_array($result); $name = $row['UserName']; $pass = $row['UserPassword']; $email = $row['UserName']; $to = $name . "<" . $email . ">"; $headers = 'From: email@mysite.co.uk' . "\r\n" . 'Reply-To: replyto@mysite.co.uk'; $subject = "Lost Password" $body = <<<EMAIL Welcome $name, please take note of your new login details. Your password has been reset, you can change it again when you login. Username: $name Password: $pass Thank you, Team EMAIL; mail($to, $subject, $body, $headers); ?> This will email them the random password. the problem with your SQL is most likely in mysql_query("UPDATE tblUsers SET UserPassword='".$Newpass." WHERE UserID='".$ID."'") or die(mysql_error()); leave the first sql statement and the second one to 'or die("Error in sql part 2: ".mysql_error());', which will tell you which one is giving the error Quote Link to comment Share on other sites More sharing options...
discomatt Posted March 13, 2008 Share Posted March 13, 2008 DO NOT use the random word example for user passwords. The x random character one is so much more secure and makes more sense. This is why many programmers use the syntax $q = "SELECT $set FROM $table WHERE `id`='$id'"; $r = mysql_query($q); If anything goes wrong with the query, you can just echo $q and find out exactly whats being sent to mysql. Try doing this and let us know what $q outputs. Quote Link to comment Share on other sites More sharing options...
jesushax Posted March 13, 2008 Author Share Posted March 13, 2008 no that doesnt work either same error message as before it says near line 1 but line 1 isnt even sql the near 2 thing is the user id though i know the users id im trying to change is 2 and it says near 2 so somethings going wrong there... Quote Link to comment Share on other sites More sharing options...
jesushax Posted March 13, 2008 Author Share Posted March 13, 2008 i dont know wha tyou mean with your example discomatt.. :S Quote Link to comment Share on other sites More sharing options...
soycharliente Posted March 13, 2008 Share Posted March 13, 2008 My $0.02 I don't like giving users new passwords. I don't know why, but creating a random password for them and emailing it to them just rubs me the wrong way. This is what I do: There's a link near the login form indicating something about a lost/forgotten password. The user clicks that and must enter the email address associated with the account (which only them should know). The next step is for them to answer their secret question with their secret answer (which they provided upon registering for an account). If the answer is correct, an email is sent to them with a link to update their password. The link takes them to a page that immediately will update their password by displaying a new password input field and re-enter new password input field. The link from the email is formatted with some parameters that are a hash of the users email address, last login, and a salt. The resetpass page queries the database looking for any user where the hash of their email, last login, and a salt match the hash from the link. All the information that is found is put into hidden fields (which user id to update once the form has been filled out, etc.) so it's easy to update the password in the database. Upon updating the password you also log the user into the site and update the last login so that the link in their email isn't valid anymore. For the last login I use the datetime field so that it will be specific down to the second so no duplicates can occur. I know that's a lot of work to create and I'm sure changing your website isn't something you're jumping at the chance to do. Again, this is just my $0.02 because of the reasons I said at the top. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 13, 2008 Share Posted March 13, 2008 UserPassword isn't completely quoted in your SQL. Quote Link to comment Share on other sites More sharing options...
lordfrikk Posted March 13, 2008 Share Posted March 13, 2008 My $0.02 (...) Yes, that's preferable way, I'm using it too. Quote Link to comment Share on other sites More sharing options...
soycharliente Posted March 13, 2008 Share Posted March 13, 2008 UserPassword isn't completed quoted in your SQL. Correct. This line: mysql_query("UPDATE tblUsers SET UserPassword='". md5($rand_word)." WHERE UserID='".$ID."'") or die(mysql_error()); To be: mysql_query("UPDATE `tblUsers` SET `UserPassword`='". md5($rand_word)."' WHERE `UserID`='".$ID."'") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
jesushax Posted March 13, 2008 Author Share Posted March 13, 2008 hmmm i like the secret question idea... so i get them to answer the question then send them to a change password page sounds like a plan, about an hours work but i like it... cheers Quote Link to comment Share on other sites More sharing options...
soycharliente Posted March 13, 2008 Share Posted March 13, 2008 It took me a few days to get it working right. I'd be glad to help you with specific questions once you've begun working on it if you're really going to try and do that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.