jasonc Posted September 13, 2011 Share Posted September 13, 2011 After being forced to have the server upgraded I am having problems with my 'reset password' pages. What I wondered is, has there been any changes to PHP or MySQL between these versions ? The PHP version was 5.2.9 and is now 5.2.14 The MySQL version was Client API version 5.0.45 and is now Client API version 5.0.90 Some one clicks a link like this. www.site.com/resetpw.php?pwr=a1b2c3d4e5f6 the code would be a 32 char hash that is checked against the database, but my code now (which was never changed before or after the server change) seems to find the database line and update it but show the message that it was invalid ? instead of showing the the message, your password will be sent to you after changing the DB does anyone have any ideas ? <?php include('includes/connection.php'); include('includes/functions.php'); date_default_timezone_set('Europe/London'); if(isset($_POST['reset']) && trim($_POST['reset']) == 'Reset') { $email = mysql_real_escape_string($_POST['email']); $checkVerify = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND verified='No' LIMIT 1"); $checkBanned = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND suspended='Yes' LIMIT 1"); if(!$email) { $thisError = 'Please enter your e-mail address.'; } else if(!$password) { $thisError = 'Please enter your password.'; } else if(mysql_num_rows($checkVerify)) { $thisError = 'Your account has not been approved by an Admin.'; } else if(mysql_num_rows($checkBanned)) { $thisError = 'Your account has been suspended by an Admin.'; } else { $password = md5($password); $checkAccount = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND password='$password' LIMIT 1"); if(mysql_num_rows($checkAccount)) { $_SESSION['FM_user'] = $email; header('Location: members.php'); exit; } else { $thisError = 'Your e-mail address and/or password is incorrect.'; } } } include('includes/header.php'); ?> <body> <div class="headerBar"> <?php include('includes/navigation.php');?> </div> <?php headerText(); ?> <div class="content"> <div class="widthLimiter contentStyle"> <div class="formWrapper"> <?php if(isset($thisError)) { echo '<div class="errorDiv">',$thisError,'</div>'; } ?> <?php if(isset($thisSuccess)) { echo '<div class="successDiv">',$thisSuccess,'</div>'; } ?> <span class="subHeader">Initiate Password Reset</span> <?php // include("sendmail2010.php"); $securitycode = ($_GET['pwr']); //echo("53:security:".$securitycode.":<br>"); if ($securitycode != "") { $sql = "SELECT * FROM `customers` WHERE `changeofpasswordcode` = '".mysql_real_escape_string($securitycode)."' LIMIT 1"; //echo("54:sql:".$sql.":<br>"); $res = mysql_query($sql) or die(mysql_error()); //echo("57:<br>"); if (mysql_num_rows($res) != 0) { //echo("59:sql:".$sql.":<br>"); $customerName = mysql_result($res, 0 ,'fullname'); $email = mysql_result($res, 0 ,'email'); $yourpasswordtologin = CreateNewPassword(); $format = 'Y-m-d H:i:s'; $date = date( $format ); $sql = "UPDATE `customers` SET `password` = '" . md5($yourpasswordtologin) . "', `password2` = '" . mysql_real_escape_string($yourpasswordtologin) . "', `changeofpasswordcode` = '', `newpasswordrequestedon` = '" . $date . "' WHERE `changeofpasswordcode` = '" . mysql_real_escape_string($securitycode) . "' LIMIT 1"; //echo("65:sql:".$sql.":<br>"); $res = mysql_query($sql) or die(mysql_error()); $_SESSION['customerName'] = $customerName; $_SESSION['customerEmail'] = $email; $_SESSION['generatePass'] = $yourpasswordtologin; //echo("send email"); $sendemailnow = createEmailSend('newPassword', 'Your new password', 'customer'); //echo("email sent ".$sendemailnow); ?><div style="margin: 30px;">Thank you for completing your password reset process.<br><br>An email with a randomly generated password has been sent to your email address, please check your email account for this email as you will need this password to access your <?=$_SESSION['siteName'];?> account.<br><br><strong><em>Please check your 'spam folder' in case our emails are showing up there.</em></strong><br><br>You may now <a href="<?=$_SESSION['webAddress'];?>">sign in</a> to your account.</div><?php //echo("72:end of IF send email<br>"); } else { //echo("74 bad link<br>"); ?><div style="margin: 20px;">Sorry the link you clicked is and old password reset link or is not valid, please delete the email.<br><br>If you were trying to reset your password, please click the<br>'Member Login' link on our site and then click the 'Reset Password' link.</div><?php //echo("end of IF bad<br>"); } //echo("78:end of first IF<br>"); } ?> </div> </div> </div> <?php include('includes/footer.php');?> </body> </html> Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted September 13, 2011 Share Posted September 13, 2011 Both PHP and MySQL have fairly detailed changelogs available at their respective sites, however I would recomend taking the oportunity to revise the code anyway. I suggest you only SELECT a single relevent field and run a verification against the result V's user confirmation (ie to a security question), don't use "or die(mysql_error())" in a production enviroment, end users don't care about SQL errors, and you are opening up vulnrabilities for all to see. Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 yes i know about the errors issue there ;-) I used the @ in the original code, with out the error parts at the end of the line. The code work perfectly on the old server but now it has been upgraded it fails and seems to perform strangely as well. here is an example of what i mean <? echo("start"); $hashcode = "MyHashCode"; // check if hashcode is in the database. // mysql query // get results from database. $results = mysql_query($sql); if ( mysql_num_rows($res) ) { // there is an entery with that hashcode. // remove the hashcode. // line 13. // create and email the new password, store the password in the database. } else { // the hashcode was not in the database, so display an error message to state this. echo("not a valid hashcode."); // line 19. } echo("end"); ?> this is what actually happens. from the script above it checks if the hashcode is valid or not and then removes the hashcode at line 13 and then it displays the error message at line 19. this as you can see should never happen as the remove hashcode and the error message are in different parts of the IF statements ! Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted September 13, 2011 Share Posted September 13, 2011 then it's also clear that mysql_num_rows isn't being parsed as expected, what does doing a print_r(mysql_num_rows($res)) actualy produce? Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 i get just the digit 1 and it works that time, but do the process again and i get a new hashcode as expected and the email comes but clicking the link in the email this time i get the digit 0 even though the hashcode in the link is a valid code and is in the database, but strangely the databases gets updated and the hashcode is removed i get the message that it is invalid and no email is sent. it should only be performing one or the other of the statements after the IF not one line from the first half of the IF and one line from the other half of the IF!! <? if(check something) { // remove hashcode (does this) // create new password and store it. // does not do this. // email new password. // does not do this echo("email with password sent."); // does not do this. } else { echo("wrong code."); // does this. } ?> how can this be possible !! ? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 13, 2011 Share Posted September 13, 2011 What does a 'view source' in your browser of the page show? Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 in the view source, there are no errors above or below the html tags or between them. nothing out of the ordinary. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 13, 2011 Share Posted September 13, 2011 I was hoping that would show us what the actual output was from your script so that it would indicate what execution path was being taken and/or if there is more than one request for the page. Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 One moment it works the next it does not. ok here is the mysql database example and the scripts. I have made a few changes to the scripts so I was able to echo out the line numbers as it was going through line by line, to see the path it took. I have commented out these lines at the moment. connection.php file is just the basic connection... <? $dbhost = 'localhost'; $dbuser = 'site_user'; $dbpass = 'mypassword'; $dbname = 'site_dbname'; $connect = @mysql_connect($dbhost,$dbuser,$dbpass); @mysql_select_db("$dbname",$connect); @mysql_query("SET NAMES 'utf8'"); ?> startresetpw2.php <?PHP include('includes/connection.php'); include('includes/functions2.php'); date_default_timezone_set('Europe/London'); if(isset($_POST['reset']) && trim($_POST['reset']) == 'Reset Password') { $email = mysql_real_escape_string($_POST['email']); $checkConfirmed = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND verifyCode != '' LIMIT 1"); $checkEmail = mysql_query("SELECT account_id FROM customers WHERE email='$email' LIMIT 1"); $checkVerify = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND verified='No' LIMIT 1"); $checkBanned = mysql_query("SELECT account_id FROM customers WHERE email='$email' AND suspended='Yes' LIMIT 1"); if(!$email) { $thisError = 'Please enter your e-mail address.'; } else if(! mysql_num_rows($checkEmail)) { $thisError = 'That email address is not registered with us.'; } else if(mysql_num_rows($checkConfirmed)) { $thisError = 'Your email address has not been verified, please check your email and following instructions within.'; } else if(mysql_num_rows($checkVerify)) { $thisError = 'Your account has not been approved by an Admin.'; } else if(mysql_num_rows($checkBanned)) { $thisError = 'Your account has been suspended by an Admin.'; } else { // } } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <title>..</title> </head> <body> <div class="content"> <div class="widthLimiter contentStyle"> <div class="formWrapper" style="width: 500px;"> <? if(isset($thisError)) { echo '<div class="errorDiv">',$thisError,'</div>'; } ?> <? if(isset($thisSuccess)) { echo '<div class="successDiv">',$thisSuccess,'</div>'; } ?> <span class="subHeader">Initiate Password Reset</span> <? // password reset $useremail = isset($_POST['email']) != '' ? trim($_POST['email']) : '' ; if ($useremail != "") { // get email and password and email them $sql = "SELECT * FROM `customers` WHERE (`email` = '" . mysql_real_escape_string($useremail) . "') LIMIT 1"; $res = mysql_query($sql); $email = @mysql_result($res, 0 ,'email'); $customerName = @mysql_result($res, 0 ,'fullname'); if(@mysql_num_rows($res) && @mysql_result($res, 0 ,'verified') == "Yes" && @mysql_result($res, 0 ,'suspended') == "No") { if(@mysql_result($res, 0 ,'changeofpasswordcode') != "") { $randomcode = @mysql_result($res, 0 ,'changeofpasswordcode'); } else { $randomcode = CreatePasswordResetCode(); } $_SESSION['customerName'] = $customerName; $_SESSION['customerEmail'] = $email; $_SESSION['randomcode'] = $randomcode; /////////////////////////////////////////////////////////////// createEmailSend('passwordReset', 'Request to reset your password', 'customer'); ?><br><br>Line 61 of startresetpw2.php would just basically send an email with this link...<br> ignor the fact that the link seems to split up on two lines this is only due to the sites display, the link is on one line in the email. <br> <br> http://www.site.com/resetpw2.php?pwr=<? echo($_SESSION['randomcode']); ?> <br><br> <? $format = 'Y-m-d H:i:s'; $date = date( $format ); // set value in DB that email WAS sent $sql = "UPDATE `customers` SET `changeofpasswordcode` = '" . mysql_real_escape_string($randomcode) . "', `newpasswordrequestedon` = '" . $date . "' WHERE `email` = '" . mysql_real_escape_string($email) . "' LIMIT 1"; $res = mysql_query($sql); //echo("67:<br>".$sql."<br>"); ?><br /><br /><div>You will shortly receive an email which contains a reset password link,<br>please check your email and click this link to reset your password.<br /><br />A new password will then be emailed to you.</div><? } else { // not valid username entered. //echo("70:<br>".$sql."<br>"); ?><br /><br /><div>If you are having trouble accessing your account please let us know<br />via <a href="">email</a> and we shall look into this for you A.S.A.P.</div><? } } else { ?><br /><br /><div style=""><form method="post" action="">Please enter your Email Address for your account in the<br>field below and click 'Reset' to initiate a password reset.<br /><br /><input name="email" type="text" size="25"><input type="submit" name="reset" value=" Reset Password"></form></div> <? } ?> </div> </div> </div> </body> </html> resetpw2.php <?PHP define('IN_SCRIPT', true); // Start a session session_start(); include('includes/connection.php'); include('includes/functions2.php'); date_default_timezone_set('Europe/London'); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <title>..</title> </head> <body> <div class="content"> <div class="widthLimiter contentStyle"> <div class="formWrapper"> <? if(isset($thisError)) { echo '<div class="errorDiv">',$thisError,'</div>'; } ?> <? if(isset($thisSuccess)) { echo '<div class="successDiv">',$thisSuccess,'</div>'; } ?> <span class="subHeader">Initiate Password Reset</span> <? // include("sendmail2010.php"); $securitycode = stripstring($_GET[pwr]); if ($securitycode != "") { $sql = "SELECT * FROM `customers` WHERE `changeofpasswordcode` = '".mysql_real_escape_string($securitycode)."' LIMIT 1"; $res = mysql_query($sql); //echo("<br><br><br>:"); //print_r(mysql_num_rows($res)); //echo(":<br><br><br>"); //echo("69:<br>"); if (@mysql_num_rows($res)) { //echo("71:<br>"); $customerName = @mysql_result($res, 0 ,'fullname'); $email = @mysql_result($res, 0 ,'email'); $yourpasswordtologin = CreateNewPassword(); $format = 'Y-m-d H:i:s'; $date = date( $format ); $sql = "UPDATE `customers` SET `password` = '" . md5(mysql_real_escape_string($yourpasswordtologin)) . "', `password2` = '" . mysql_real_escape_string($yourpasswordtologin) . "', `changeofpasswordcode` = '', `newpasswordrequestedon` = '' WHERE `changeofpasswordcode` = '" . mysql_real_escape_string($securitycode) . "' LIMIT 1"; //echo("77:<br>".$sql."<br>:"); $res = mysql_query($sql); //print_r($res); //echo("79:<br>"); $_SESSION['customerName'] = $customerName; $_SESSION['customerEmail'] = $email; $_SESSION['generatePass'] = $yourpasswordtologin; createEmailSend('newPassword', 'Your new password', 'customer'); //echo("send"); ?><div style="margin: 30px;">Thank you for completing your password reset process.<br><br>An email with a randomly generated password has been sent to your email address, please check your email account for this email as you will need this password to access your <?=$_SESSION['siteName'];?> account.<br><br><strong><em>Please check your 'spam folder' in case our emails are showing up there.</em></strong></div><? //echo("68:<br>"); } else { //echo("88:<br>"); ?><div style="margin: 20px;">Sorry the link you clicked is and old password reset link or is not valid, please delete the email.<br><br>If you were trying to reset your password, please click the<br>'Member Login' link on our site and then click the 'Reset Password' link.</div><? //echo("90:<br>"); } //echo("92:<br>"); } //echo("94:<br>"); ?> </div> </div> </div> </body> </html> functions2.php <? function stripstring($textstring) { $textstring = trim($textstring); $strPattern = "/[^a-zA-Z0-9\r\n,. ]/"; $textstring = preg_replace($strPattern, "", $textstring); // remove all but letter and numbers $textstring = preg_replace("/ {2,}/", " ", $textstring); // replace double spaces with single $textstring = preg_replace("/ \r\n/", "\r\n", $textstring); // remove single space 'windows' return $textstring = preg_replace("/(\r\n){2,}/", "\r\n", $textstring); // remove 'windows' double returns $textstring = preg_replace("/ \r/", "\r", $textstring); // remove single space 'mac' return $textstring = preg_replace("/\r{2,}/", "\r", $textstring); // remove 'mac' double returns $textstring = preg_replace("/ \n/", "\n", $textstring); // remove single space 'unix' return $textstring = preg_replace("/\n{2,}/", "\n", $textstring); // remove 'unix' double returns $textstring = preg_replace("/\r\n /", "\r\n", $textstring); // remove 'windows' return single space 'windows' return $textstring = preg_replace("/\r /", "\r", $textstring); // remove 'mac' return single space 'mac' return $textstring = preg_replace("/\n /", "\n", $textstring); // remove 'unix' return single space 'unix' return return ($textstring); } function CreateNewPassword() { // setup random password //$acceptedChars = 'azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN0123456789'; $acceptedChars = 'azertyuiopqsdfghjklmwxcvbnAZERTYUIOPQSDFGHJKLMWXCVBN'; $max = strlen($acceptedChars)-1; $yourpasswordtologin = ""; $letters = rand(5, ; for($i=0; $i < $letters; $i++) { $yourpasswordtologin .= $acceptedChars{mt_rand(0, $max)}; } return $yourpasswordtologin; } function CreatePasswordResetCode() { // /* // set new $record_ref. $ResetCode = md5(rand(10, rand(10, 1000000000))); // check if exisits in DB. $sql = "SELECT * FROM `customers` WHERE `changeofpasswordcode` = '". $ResetCode ."'"; $get_records_with_reset_code = mysql_query($sql); // count entries in DB for $record_ref. $count_records = mysql_num_rows($get_records_with_reset_code); while ($count_records > 0) { // set new $record_ref. $ResetCode = (rand(10, rand(10, 1000000000))); // check if exisits in DB. $sql = "SELECT * FROM `customers` WHERE `changeofpasswordcode` = '". $ResetCode ."'"; $get_records_with_reset_code = mysql_query($sql); // count entries in DB for $record_ref. $count_records = mysql_num_rows($get_records_with_reset_code); } // */ return $ResetCode; } function CreateVerifyCode() { // /* // set new $record_ref. $verifyCode = md5(rand(10, rand(10, 1000000000))); // check if exisits in DB. $sql = "SELECT * FROM `customers` WHERE `verifyCode` = '". $verifyCode ."'"; $get_records_with_verify_code = mysql_query($sql); // count entries in DB for $record_ref. $count_records = mysql_num_rows($get_records_with_verify_code); while ($count_records > 0) { // set new $record_ref. $verifyCode = (rand(10, rand(10, 1000000000))); // check if exisits in DB. $sql = "SELECT * FROM `customers` WHERE `verifyCode` = '". $verifyCode ."'"; $get_records_with_verify_code = mysql_query($sql); // count entries in DB for $record_ref. $count_records = mysql_num_rows($get_records_with_verify_code); } // */ return $verifyCode; } ?> and the sample database... CREATE TABLE IF NOT EXISTS `customers` ( `account_id` smallint(15) NOT NULL auto_increment, `account_type` varchar( NOT NULL default 'customer', `ip_address` varchar(15) NOT NULL default '0.0.0.0', `banned` char(3) NOT NULL default 'No', `company` varchar(100) NOT NULL, `fullname` char(100) NOT NULL, `email` varchar(150) NOT NULL, `mobile` varchar(20) NOT NULL, `password` varchar(50) NOT NULL, `password2` varchar(50) NOT NULL, `lastlogindatetime` datetime NOT NULL default '0000-00-00 00:00:00', `lastlogindatetimeFailed` datetime NOT NULL default '0000-00-00 00:00:00', `time_created` smallint(15) NOT NULL, `verified` varchar(3) NOT NULL default 'No', `suspended` varchar(3) NOT NULL default 'No', `changeofpasswordcode` varchar(32) NOT NULL, `newpasswordrequestedon` datetime NOT NULL default '0000-00-00 00:00:00', `verifyCode` varchar(32) NOT NULL, PRIMARY KEY (`account_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=140 ; -- -- Dumping data for table `customers` -- INSERT INTO `customers` (`account_id`, `account_type`, `ip_address`, `banned`, `company`, `fullname`, `email`, `mobile`, `password`, `password2`, `lastlogindatetime`, `lastlogindatetimeFailed`, `time_created`, `verified`, `suspended`, `changeofpasswordcode`, `newpasswordrequestedon`, `verifyCode`) VALUES (127, 'customer', '', 'No', 'MY COMPANY', 'My Full Name', 'my@email.com', '', '4d9f95422da3599de9b846a652667419', 'vALygyni', '2011-09-13 10:58:18', '0000-00-00 00:00:00', 32767, 'Yes', 'No', '', '', ''); Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 13, 2011 Share Posted September 13, 2011 A) Get rid of all the @ error suppressors in your code. There's no reason to ever put them into code and they could be hiding the reason why your code is not doing what you expect (they also minutely slow down your code just by having them present, even when there are no errors being suppressed.) You should have display_errors set to OFF for a live server (set it to ON for debugging purposes.) Your web host should have it set to OFF in the master php.ini, but if he doesn't, you can set it the way you want it to be (off most of the time, on for debugging) in a local php.ini (when php is running as an CGI application), in a .htaccess file (when php is running as an Apache Module), or in your script, such as in a common config.php file that you include into each page. B) You are not testing if the queries worked or failed with an error before you attempt to access any of the data from the queries (which I suspect is why you have @'s on things like the mysql_num_rows and mysql_result statements.) C) Are you sure the random reset code is being saved/updated in the database at all and that it is the exact same value as what is being put into the link? D) As already mentioned, the symptom is starting to suggest that your page is being requested twice, the first time the reset code matches an entry in the database, for the second request, the entry does not exist. Are you actually receiving the email with the new random password? Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 the code was tested fully before being put in the live site then condensed later on. the script worked a deam and nothing was going wrong, then my host decided to upgrade all their servers to the latest PHP and MySQL !!! without telling us..... ouch... Ok now this is where everything started to go wrong. Emails failed, they made some changes, the site failed to load the pages, they made some more changes, then the sites databases had their turn and they made yet more changes. Now I have requested that they revert back to the old versions of PHP and MySQL immediately or else!!! all my other sites seem to work ok but this one. I have had the scripts tested over and over before and there was 'nothing' wrong. someone suggested that the code may be run twice ? not sure who will read back in a bit. but to answer this suggetion.... not possible, thought of that when i was in the draft scripting. the script creates a hashcode and stores it ok and this same code on the next stage of the script is used in the email that is sent. ok what happens if they request a second time for the password to be reset before they have clicked the link in the first email. the script will see this by first checking if they is any hashcode already in the database, if there is it will use the same hashcode and not create a new one, if there is no hashcode in the database for that email address then a new one is created and stored and then emailed to them. so requesting multiple times will result in the same hashcode, until they click the link which would remove the hashcode. Quote Link to comment Share on other sites More sharing options...
requinix Posted September 13, 2011 Share Posted September 13, 2011 99% of the time problems after an upgrade within branches (5.2.x -> 5.2.x) are because of php.ini settings or other changed configurations. Can you narrow the problems down to specific pieces of code? Use echo and die as much as possible to print out values and check your assumptions until you find a place where variables don't have the values you're expecting. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 13, 2011 Share Posted September 13, 2011 jasonc, nothing you wrote in your last reply has anything to do with what was suggested to do or try or tell us to help find what your code is currently doing in order to find where the problem is. You didn't even read your page is being requested twice, the first time the reset code matches an entry in the database, .... It's your resetpw2.php page that gets requested with the reset code. Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 13, 2011 Author Share Posted September 13, 2011 my code runs twice? where ? i did not think it did. the startresetpw2.php file ? Quote Link to comment Share on other sites More sharing options...
jasonc Posted September 14, 2011 Author Share Posted September 14, 2011 I have checked and checked again but can not see where my code is being run twice for the random code to be create again ? which of my files are you saying does this and where in the file ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.