Jump to content

password reset not working

silverglade

By silverglade
in PHP Coding Help

 Share

Recommended Posts

silverglade Advanced Member

silverglade

Posted
Posted

Hi, I have a php password reset script that is not updating the database, or there is some other reason the new password reset is giving me a "wrong password" error on trying to use it. Any help Greatly appreciated! Thank you.

 

<?php

define('IN_SCRIPT', true);
// Start a session
session_start();

ini_set ("display_errors", "1");
error_reporting(E_ALL);

$host		= " ";
$database 	= " ";
$username 	= " ;
$password 	= " ";
$tbl_name   = " ";

$conn = mysql_connect($host, $username, $password) or die("Could not connect: " . mysql_error());

if($conn)
{
mysql_select_db($database);
echo "connected to database!!";
} else {
	echo "failed to select database";
}




//this function will display error messages in alert boxes, used for login forms so if a field is invalid it will still keep the info
//use error('foobar');
function error($msg) {
    ?>
    <html>
    <head>
    <script language="JavaScript">
    <!--
        alert("<?=$msg?>");
        history.back();
    //-->
    </script>
    </head>
    <body>
    </body>
    </html>
    <?
    exit;
}

//This functions checks and makes sure the email address that is being added to database is valid in format. 
function check_email_address($email) {
  // First, we check that there's one @ symbol, and that the lengths are right
  if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
    // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
    return false;
  }
  // Split it into sections to make life easier
  $email_array = explode("@", $email);
  $local_array = explode(".", $email_array[0]);
  for ($i = 0; $i < sizeof($local_array); $i++) {
     if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
      return false;
    }
  }  
  if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
    $domain_array = explode(".", $email_array[1]);
    if (sizeof($domain_array) < 2) {
        return false; // Not enough parts to domain
    }
    for ($i = 0; $i < sizeof($domain_array); $i++) {
      if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
        return false;
      }
    }
  }
  return true;
}


if (isset($_POST['submit'])) {

if ($_POST['forgotpassword']=='') {
	error('Please Fill in Email.');
}
if(get_magic_quotes_gpc()) {
	$forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword']));
} 
else {
	$forgotpassword = htmlspecialchars($_POST['forgotpassword']);
}
//Make sure it's a valid email address, last thing we want is some sort of exploit!
if (!check_email_address($_POST['forgotpassword'])) {
  		error('Email Not Valid - Must be in format of name@domain.tld');
}
    // Lets see if the email exists
    $sql = "SELECT COUNT(*) FROM users WHERE email = '$forgotpassword'";
    $result = mysql_query($sql)or die('Could not find member: ' . mysql_error());
    if (!mysql_result($result,0,0)>0) {
        error('Email Not Found!');
    }

//Generate a RANDOM MD5 Hash for a password
$random_password=md5(uniqid(rand()));

//Take the first 8 digits and use them as the password we intend to email the user
$emailpassword=substr($random_password, 0, ;

//Encrypt $emailpassword in MD5 format for the database
$newpassword = md5($emailpassword);

        // Make a safe query
       	$query = sprintf("UPDATE `users` SET `password` = '%s' 
					  WHERE `email` = '$forgotpassword'",
                    mysql_real_escape_string($newpassword));

				mysql_query($query)or die('Could not update members: ' . mysql_error());

//Email out the infromation

$site_name = "MYSITECOM";
$site_email = "noreply@MYSITE.COM";
$subject = "Your New Password"; 
$message = "Your new password is as follows:
---------------------------- 
Password: $emailpassword
---------------------------- 
Please make note this information has been encrypted into our database 

This email was automatically generated."; 
                       
          if(!mail($forgotpassword, $subject, $message,  "FROM: $site_name <$site_email>")){ 
             die ("Sending Email Failed, Please Contact Site Admin! ($site_email)"); 
          }else{ 
                error('New Password Sent!.');
         } 

}

else {
?>
      <form name="forgotpasswordform" action="" method="post">
        <table border="0" cellspacing="0" cellpadding="3" width="100%">
          <caption>
          <div>Forgot Password</div>
          </caption>
          <tr>
            <td>Email Address:</td>
            <td><input name="forgotpassword" type="text" value="" id="forgotpassword" /></td>
          </tr>
          <tr>
            <td colspan="2" class="footer"><input type="submit" name="submit" value="Submit" class="mainoption" /></td>
          </tr>
        </table>
      </form>
      <?
}
?>

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

It's really hard to tell without all of the relevant code, but have you compared the hash that get's inserted into the DB with the hash the login form generates when trying to login? Do they both use the same hashing algorithm, rather than this one using MD5 and the login maybe using SHA1, or a salt?

Link to comment
Share on other sites
silverglade Advanced Member

silverglade

Posted
  • Author
Posted

thank you, sorry this is the other relevant code, where the user registers and the first password is created. any more ideas greatly appreciated. thanks.

 

<?php

$host		= " ";
$database 	= " ";
$username 	= " ";
$password 	= " ";

mysql_connect($host, $username, $password) or die("Could not connect: " . mysql_error());

mysql_select_db($database);


if ($_POST['form_submitted'] == '1') {
##User is registering, insert data until we can activate it

$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$username = mysql_real_escape_string($_POST[username]);


$email = mysql_real_escape_string($_POST[email]);
//////////////////////////////////////////////////////////////////////////
$username= $_POST['username'];

     $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

        $username_exist = mysql_num_rows($checkuser);

        if($username_exist > 0){
       
   echo "I'm sorry but the username you specified has already been taken.  Please pick         another one.";
        unset($username);
	$sendemail='0';
         }
   ///////////////////////////////////////////////////////////////////////////////////
   
     $email= $_POST['email'];

     $checkemail = mysql_query("SELECT email FROM users WHERE email='$email'");

        $useremail_exist = mysql_num_rows($checkemail);

        if($useremail_exist > 0){
       
   echo "I'm sorry but the email address you specified has already been taken.  Please pick         another one.";
        unset($email);
	$sendemail='0';
         }
	 ////////////////////////////////////////////////////////////////////////////// 

if ( $_POST['password'] == $_POST['password2'] && $username_exists <=0 && $useremail_exist <= 0) {	

$password = sha1($_POST['password']);


$sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$username', '$password', '$email', '$activationKey', 'verify')";

$sendemail = '1';

} else {

echo "*Passwords do not match!";
$sendemail='0';
}

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }
$_POST['form_submitted'] = '0'; //make form disappear.

if ($sendemail =='1') { 
echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration.";
}
##Send activation Email

$to      = $_POST[email];

$subject = " MYWEBSITE.COM Registration";

$message = "Welcome to our website!\r\rYou, or someone using your email address, has completed registration at MYWEBSITE.com. You can complete registration by clicking the following link:\rhttp://www.MYWEBSITECOM/verify_user.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ MYWEBSITE.com Team";

$headers = 'From: noreply@ MYWEBSITE.com' . "\r\n" .

    'Reply-To: noreply@MYWEBSITE.com' . "\r\n" .

    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

} else {

##User isn't registering, check verify code and change activation code to null, status to activated on success

$queryString = $_SERVER['QUERY_STRING'];

$query = "SELECT * FROM users"; 

$result = mysql_query($query) or die(mysql_error());

  /*if*/ while($row = mysql_fetch_array($result)){

    if ($queryString == $row["activationkey"]){
     

  $_POST['form_submitted'] = '2'; //make form disappear.
     

   echo "Congratulations!" . $row["username"] . " is now the proud new owner of an MYWEBSITE.com account. Please sign in to the site at  <a href='sign_in.php'>THIS LINK</a>. ";

    $sql=" UPDATE users SET status='activated' WHERE (id = $row[id])";
          //UPDATE users SET activationkey = '',
  
   //$sql="UPDATE users SET activationkey = 'Done-$row[id]', status='activated' WHERE (id = $row[id])";
       if (!mysql_query($sql))

  {

        die('Error: ' . mysql_error());

  }

    }

  }

}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 {
font-size: large;
font-weight: bold;
}
.style3 {font-size: large}
-->
</style>
</head>

<body>
<p><a href="index.php">home</a></p>
<div align="center"><a href="how.html"> </a>  ;</span></div>
<p> </p>
<?php 

if (!isset ($_POST['form_submitted'])){

echo (' <div align="center"><span class="style3">  Please register. 
  </span> 
<table border="0">
<form action="verify_user.php" method="post" name="register">
<tr><td>Username: <input type="text" name="username" maxlength="20"></td></tr>
<tr><td>Password:<input type="password" name="password" /></td><td>
<tr><td>Confirm password: <input type="password" name="password2" maxlength="20"></td><td>
<tr><td> Email: <input type="text" name="email" /></td></tr>
  
    <input type="hidden" name="form_submitted" value="1"/>  

<tr><td><input type="submit" value="Submit" /></td></tr>
</form>
</table>
</div>'); 

}
if ( $_POST['form_submitted'] =='2'){  
echo (" You may now enter the site!");//echo nothing no form. 
}
?> 

</body>

</html>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.