forgot password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anthony88guy
Forum Contributor
Posts: 246
Joined: Thu Jan 20, 2005 8:22 pm

forgot password

Post by anthony88guy »

I want to make a forgot password script. Right now I am making a random number and md5 it. Then take last 8 characters. That would be the new password until they change it. Now I cant change the password on the spot because then users can lock out other peoples account. So I want to send an email to the user then they click a link and they get a new pass. How would I create a link that wouldn't be guessed by others? i.e forgotpass.php?id=10&code=34g3643543

I could also bring the user to a page that changes the pass to what they want from the link, instead of supplying them with a pass.
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

mmm use a non-md5 encryption for the id, determine the keys yourself so that someone cant just use md5 on a random id number and lockout the account. Also, don't include the new password in the url, because if someone does ?id=10&code=PASSWORD, then by your system, PASSWORD is the new password...
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

i have done a script like this for a client heres my code

only thing i changed is the site linked to and some table names in the querys.

forgotpass.php

Code: Select all

<?php

//connect to db include

if (isset($_POST['email']))
{
       // generate a random number of numbers between 0 and 9
	for ($x=0;$x<10;$x++)
		$num .= rand(0, 9);

	
        $email = $_POST['email'];
        //clean is my own function for stripping input
	$email = clean($email);
	
	if (strlen($email) == 0)
	{
		echo "Please enter an email address.";
		die;
	}
	
         //check for valid email
	$check = "SELECT * FROM table WHERE email='$email'";
	$checker = mysql_query($check);
	$total = mysql_num_rows($checker);

	if ($total == 0)
	{
		echo "Please enter a valid email";
		die;
	}
	

        // insert into the forgotpass table the email with    the randomly generated number
	$link = "INSERT INTO forgotpass (email,number) VALUES ('$email','$num')";
	$res = mysql_query($link) or die(mysql_error());
         
        // the link that will be emailed
	$click = 'http://www.site.com/membersarea/newpass.php?user=' . $email . "&" . "num=" . $num;
	
	$to      = $email;
	$subject = 'Password Reminder';
	$message = 'Hello ' . $email . ' please visit ' . $click . ' to get your new password.';
	
	$headers = 'From: passwordreminder@' . $_SERVER['SERVER_NAME'] . "\r\n" .
	'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
   	'X-Mailer: PHP/' . phpversion();

	$go = mail($to, $subject, $message, $headers);		
	
	if ($go)
	{
		echo "Password reminder sent to " . $to;
		die;
	}	
	
	
	
}
?>
so basicly it generates a number, check the email to be valid, then inserts teh two into a table and emails the person.

now the newpass.php

Code: Select all

<?php

if (isset($_GET['num']) && isset($_GET['user']))
{
	$num = clean($_GET['num']);
	$email = clean($_GET['user']);
	
	if ($num == "" || $email == "")
	{
	echo "Please enter an email and number all entries and ip addresses are logged so please               only use your information.";
	die;
	}
// see if the email/number combo are valid
	$link = "SELECT * FROM forgotpass WHERE email='$email' AND number='$num'";
	$res = mysql_query($link);
	$total = mysql_num_rows($res);

	if ($total == 0)
	{
		echo "The email and number combination were not found in the database please 		check your link.";
		die;
	}
// generate new password
	for ($x=0;$x<7;$x++)
		$password .= chr(rand(65,90));

// email new password to user
	$to      = $email;
	$subject = 'New Password';
	$message = 'Hello ' . $email . ' your new password is ' . $password;
	
	$headers = 'From: updatedpassword@' . $_SERVER['SERVER_NAME'] . "\r\n" .
	'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
   	'X-Mailer: PHP/' . phpversion();

	$go = mail($to, $subject, $message, $headers);	

	$password = md5($password);

//update the members table with the users new password so they can login

	$a = "UPDATE memeberstable SET password='$password' WHERE email='$email'";	
	$b = mysql_query($a) or die(mysql_error());

		
	
	if ($go)
	{
		echo "New Password sent to " . $to;
		die;
	}	

	
} else {
	echo "Please check your link";
	die;
}
?>
anthony88guy
Forum Contributor
Posts: 246
Joined: Thu Jan 20, 2005 8:22 pm

Post by anthony88guy »

Thanks thegreatone2176, thats very helpfull.

I made half of the script but my mail() wont send the mail. When I print $to I get my email address so it has to be with the mail function. I tried sending an email without the html same problem, so maybe its one of my headers?


Well I guess its not the code, on my forums I got this message.
Failed sending email :: PHP ::

DEBUG MODE

Line : 234
File : emailer.php
Any reasons why this might occur? Possible that the server turned off mail() function?
Last edited by anthony88guy on Thu May 12, 2005 5:43 pm, edited 1 time in total.
thegreatone2176
Forum Contributor
Posts: 102
Joined: Sun Jul 11, 2004 1:27 pm

Post by thegreatone2176 »

you only have the headers to make it send as html you dont have all the other headers and also your server may have mail off but maybe you could paste that line where the error is and we can see and if its on the mail() function then the server probally wont allow it
anthony88guy
Forum Contributor
Posts: 246
Joined: Thu Jan 20, 2005 8:22 pm

Post by anthony88guy »

But on my forum I have it send me emails when a new user signs up for me to verify them, and now that doesnt work. Plus my server is free, really crappy, I want to get hosting but waiting to finish my real site. What other headers should I have? I get no error, but also get no email.
Post Reply