retrieve a lost password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

retrieve a lost password

Post by Addos »

I wonder if anybody can tell me where I’m going wrong with this. As a beginner to PHP I’m very lost but basically I’m trying to retrieve a lost password by having an email address inserted into a form that searches the database and emails this back to the client.
(At the moment I’m just returning this to the browser to keep things simple for testing).

I can manage to get various results but no matter what I try none are satisfactory. There are 3 main things that I need to do. Firstly if the form is left blank it need to have an error showing that there is no match in the database and similarly if an email address is not found I need the same message displayed. Thirdly I then need to return the correct password if the email and password match.
I know the logic but can’t seem to figure it out in the script.

I have tried a few methods such as:

Attempt 1

Code: Select all

<?php //if (!empty($_GET&#1111;'username']))
$username = $_GET&#1111;'username'];
if ($username == 0) &#123;
echo $row_rstGetLostEmail&#1111;'password'];
&#125;
else &#123;
echo 'get out of here';
&#125;
Attempt 2

Code: Select all

if (!empty($_POST&#1111;'username']))&#123;
echo 'sorry there is no match';
&#125;
else &#123;
echo $row_rstGetLostEmail&#1111;'password'];
&#125;
And this is a complete code that will retrieve and return a correct email/ password but if I leave the form blank or insert a incorrect address nothing at all happens i.e. no error messages are displayed.
If anyone can help I’d be very grateful as I thought that this should be easy to do but that was my first mistake!
Thanks a mil

Code: Select all

<?php require_once('Connections/b.php'); ?>
<?php
$colname_rstGetLostEmail = "1";
if (isset($_GET&#1111;'username'])) &#123;
  $colname_rstGetLostEmail = (get_magic_quotes_gpc()) ? $_GET&#1111;'username'] : addslashes($_GET&#1111;'username']);
&#125;
mysql_select_db($database_brian, $brian);
$query_rstGetLostEmail = sprintf("SELECT * FROM users WHERE username = '%s'", $colname_rstGetLostEmail);
$rstGetLostEmail = mysql_query($query_rstGetLostEmail, $brian) or die(mysql_error());
$row_rstGetLostEmail = mysql_fetch_assoc($rstGetLostEmail);
$totalRows_rstGetLostEmail = mysql_num_rows($rstGetLostEmail);
?>

<body>

<?php //if (!empty($_GET&#1111;'username']))

if (empty($_POST&#1111;'username'])) &#123;
echo $row_rstGetLostEmail&#1111;'password'];
&#125;
else &#123;
echo 'sorry there is no match';
&#125;

?>
<form name="form1" method="$_POST&#1111;'username']" action="<?php $_SERVER&#1111;'PHP_SELF']?>">
<input type="text" name= "username">
<input type="submit" value="Search For Password"> 
Retrieve Lost Password 
</form> 

</body>
<?php
mysql_free_result($rstGetLostEmail);
?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_GET['username'] is always set.. check if it's empty to dump an error.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Try this

Code: Select all

<?

// Use an if/else to check if there's a username //

if(!$_GET&#1111;'username'])&#123; echo "No username"; die() &#125; ELSE &#123;
$username = $_GET&#1111;'username']; &#125;

// Check to see if they actually entered anything into the email //

if(!$emailforpassword)&#123; echo "You must supply your email"; die(); &#125;

// If email is supplied, search the database for the corresponding password //

$sql = "SELECT password FROM your_table WHERE email = '".$_GET&#1111;'emailforpassword']."'";
$query = mysql_query($sql);

// Make sure the email is in the database //

if(mysql_num_rows($query) < 1) &#123; echo "Sorry, either you supplied the wrong email address or we do not have a record of your existence."; die(); &#125;

// If the email is found print the password to the browser //

if(mysql_num_rows($query) >= 1) &#123; echo $query; &#125;

?>
That should be it in it's most basic form. Of course you'd have to change the name of your email text box, and table and column names in the query.

Hope this helps.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

In my opinion this kind of function needs to be protected somehow.

Imagine some hacker wanting to get you into trouble. He brute forces the function with a valid email-address lets say to hotmail. This function will drag the server down and your project will be blacklisted asap with hotmail so you never can send mail to hotmail again due to spamming that hotmail account.

Captcha might work or a logfile that only allows a user to use this every 5 minutes.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

This kind of function would not spam a hotmail account at all. It's all done on the server the site's being hosted on. He's just retreiving the lost password, and displaying it on a page. However if he decides to send email, then it's a different story.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

scrotaye wrote:... However if he decides to send email, then it's a different story.
....which is the plan... ;)
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Hi,
Many thanks for this help. I appreciate it very much as it is a big learning curve for me. I had a feeling that there might be a can of worms here somewhere and I will take in everything you say regarding security.
I don’t fully understand when you say “He brute forces the function with a valid email-address lets say to hotmail”. I know what to brute force means but how does the rest work?

The site I was going to use this on has only a small section that is password protected. The contents of this are only a few news items and some images but absolutely no confidentially issue here at all. It is just a section for a few people that have offered someday financial support and I just wanted to have a small section that was a sort of a thank you type thing. Having said that I do want to learn and understand the issues assuming that this was an important section that contained valuable data… so I’m all ears.

I have played around with using MD5 and encrypting the passwords in the database (MySQL) and I appreciate that the user cant simply then be sent via email the password using the method above but I was just experimenting with this to see how it was done without the encrypting. In the end do you think I should do in that should I simply get somebody to send the admin (me) an email and have a new password set and sent out? I understand that I could set up a facility where a person could probably do this again from the site ie resetting a new password but I’m simply don’t have the knowledge to do this and as this site has only around 15 members I didn’t expect a flood of work!

So again many thanks for this very interesting reply and indeed topical subject and as I had planned to do this via email rather that dumping it into the browser I certainly won’t use this method now. I’m open to suggestions that are not too technical for me as I have only got to grips with PHP since Christmas but as I say I love learning and appreciate your help.

Thanks
Brian

BTW I was trying to get the code to work below but I keep getting the error


Parse error: syntax error, unexpected '}' in C:\Inetpub\wwwroot\ on line 26

This is line 26 from my page:

Code: Select all

if(!$_GET&#1111;'username'])&#123; echo "No username"; die() &#125; else &#123; $username = $_GET&#1111;'username']; &#125;
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

It means the hacker uses a tool that calls your e.g. passwordretrieve.php with valid post requests. The tool will try to satisfy each request untill it either crashes the server. (ok this would be a DDOS attack and unlikly for a small site). Another way just submit the same URL over and over again and you probably get problems spamming that account.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

You don't need to drop this as it will be a great improvement on customer care if you don't have to do all those lost pasworemails all the time. You could simply use a capcha script to verify every entry or simply create a logfiletable in your database and check if the same email was used less than 5 minutes (or even better a random period) ago.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

my bad

Post by s.dot »

My bad, change line 26 to this

Code: Select all

if(!$_GET&#1111;'username'])&#123; echo "No username"; die(); &#125; else &#123; $username = $_GET&#1111;'username']; &#125;
I had left out the ; after the die() statement.
Post Reply