I want to make a forgot password script. Right now I am making a random number and md5 it. Then take last 8 characters. That would be the new password until they change it. Now I cant change the password on the spot because then users can lock out other peoples account. So I want to send an email to the user then they click a link and they get a new pass. How would I create a link that wouldn't be guessed by others? i.e forgotpass.php?id=10&code=34g3643543
I could also bring the user to a page that changes the pass to what they want from the link, instead of supplying them with a pass.
forgot password
Moderator: General Moderators
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
i have done a script like this for a client heres my code
only thing i changed is the site linked to and some table names in the querys.
forgotpass.php
so basicly it generates a number, check the email to be valid, then inserts teh two into a table and emails the person.
now the newpass.php
only thing i changed is the site linked to and some table names in the querys.
forgotpass.php
Code: Select all
<?php
//connect to db include
if (isset($_POST['email']))
{
// generate a random number of numbers between 0 and 9
for ($x=0;$x<10;$x++)
$num .= rand(0, 9);
$email = $_POST['email'];
//clean is my own function for stripping input
$email = clean($email);
if (strlen($email) == 0)
{
echo "Please enter an email address.";
die;
}
//check for valid email
$check = "SELECT * FROM table WHERE email='$email'";
$checker = mysql_query($check);
$total = mysql_num_rows($checker);
if ($total == 0)
{
echo "Please enter a valid email";
die;
}
// insert into the forgotpass table the email with the randomly generated number
$link = "INSERT INTO forgotpass (email,number) VALUES ('$email','$num')";
$res = mysql_query($link) or die(mysql_error());
// the link that will be emailed
$click = 'http://www.site.com/membersarea/newpass.php?user=' . $email . "&" . "num=" . $num;
$to = $email;
$subject = 'Password Reminder';
$message = 'Hello ' . $email . ' please visit ' . $click . ' to get your new password.';
$headers = 'From: passwordreminder@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$go = mail($to, $subject, $message, $headers);
if ($go)
{
echo "Password reminder sent to " . $to;
die;
}
}
?>now the newpass.php
Code: Select all
<?php
if (isset($_GET['num']) && isset($_GET['user']))
{
$num = clean($_GET['num']);
$email = clean($_GET['user']);
if ($num == "" || $email == "")
{
echo "Please enter an email and number all entries and ip addresses are logged so please only use your information.";
die;
}
// see if the email/number combo are valid
$link = "SELECT * FROM forgotpass WHERE email='$email' AND number='$num'";
$res = mysql_query($link);
$total = mysql_num_rows($res);
if ($total == 0)
{
echo "The email and number combination were not found in the database please check your link.";
die;
}
// generate new password
for ($x=0;$x<7;$x++)
$password .= chr(rand(65,90));
// email new password to user
$to = $email;
$subject = 'New Password';
$message = 'Hello ' . $email . ' your new password is ' . $password;
$headers = 'From: updatedpassword@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$go = mail($to, $subject, $message, $headers);
$password = md5($password);
//update the members table with the users new password so they can login
$a = "UPDATE memeberstable SET password='$password' WHERE email='$email'";
$b = mysql_query($a) or die(mysql_error());
if ($go)
{
echo "New Password sent to " . $to;
die;
}
} else {
echo "Please check your link";
die;
}
?>-
anthony88guy
- Forum Contributor
- Posts: 246
- Joined: Thu Jan 20, 2005 8:22 pm
Thanks thegreatone2176, thats very helpfull.
I made half of the script but my mail() wont send the mail. When I print $to I get my email address so it has to be with the mail function. I tried sending an email without the html same problem, so maybe its one of my headers?
Well I guess its not the code, on my forums I got this message.
I made half of the script but my mail() wont send the mail. When I print $to I get my email address so it has to be with the mail function. I tried sending an email without the html same problem, so maybe its one of my headers?
Well I guess its not the code, on my forums I got this message.
Any reasons why this might occur? Possible that the server turned off mail() function?Failed sending email :: PHP ::
DEBUG MODE
Line : 234
File : emailer.php
Last edited by anthony88guy on Thu May 12, 2005 5:43 pm, edited 1 time in total.
-
thegreatone2176
- Forum Contributor
- Posts: 102
- Joined: Sun Jul 11, 2004 1:27 pm
-
anthony88guy
- Forum Contributor
- Posts: 246
- Joined: Thu Jan 20, 2005 8:22 pm