Page 1 of 1
forgot password
Posted: Tue Apr 26, 2005 6:33 pm
by anthony88guy
I want to make a forgot password script. Right now I am making a random number and md5 it. Then take last 8 characters. That would be the new password until they change it. Now I cant change the password on the spot because then users can lock out other peoples account. So I want to send an email to the user then they click a link and they get a new pass. How would I create a link that wouldn't be guessed by others? i.e forgotpass.php?id=10&code=34g3643543
I could also bring the user to a page that changes the pass to what they want from the link, instead of supplying them with a pass.
Posted: Tue Apr 26, 2005 7:06 pm
by Todd_Z
mmm use a non-md5 encryption for the id, determine the keys yourself so that someone cant just use md5 on a random id number and lockout the account. Also, don't include the new password in the url, because if someone does ?id=10&code=PASSWORD, then by your system, PASSWORD is the new password...
Posted: Tue Apr 26, 2005 7:19 pm
by thegreatone2176
i have done a script like this for a client heres my code
only thing i changed is the site linked to and some table names in the querys.
forgotpass.php
Code: Select all
<?php
//connect to db include
if (isset($_POST['email']))
{
// generate a random number of numbers between 0 and 9
for ($x=0;$x<10;$x++)
$num .= rand(0, 9);
$email = $_POST['email'];
//clean is my own function for stripping input
$email = clean($email);
if (strlen($email) == 0)
{
echo "Please enter an email address.";
die;
}
//check for valid email
$check = "SELECT * FROM table WHERE email='$email'";
$checker = mysql_query($check);
$total = mysql_num_rows($checker);
if ($total == 0)
{
echo "Please enter a valid email";
die;
}
// insert into the forgotpass table the email with the randomly generated number
$link = "INSERT INTO forgotpass (email,number) VALUES ('$email','$num')";
$res = mysql_query($link) or die(mysql_error());
// the link that will be emailed
$click = 'http://www.site.com/membersarea/newpass.php?user=' . $email . "&" . "num=" . $num;
$to = $email;
$subject = 'Password Reminder';
$message = 'Hello ' . $email . ' please visit ' . $click . ' to get your new password.';
$headers = 'From: passwordreminder@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$go = mail($to, $subject, $message, $headers);
if ($go)
{
echo "Password reminder sent to " . $to;
die;
}
}
?>
so basicly it generates a number, check the email to be valid, then inserts teh two into a table and emails the person.
now the newpass.php
Code: Select all
<?php
if (isset($_GET['num']) && isset($_GET['user']))
{
$num = clean($_GET['num']);
$email = clean($_GET['user']);
if ($num == "" || $email == "")
{
echo "Please enter an email and number all entries and ip addresses are logged so please only use your information.";
die;
}
// see if the email/number combo are valid
$link = "SELECT * FROM forgotpass WHERE email='$email' AND number='$num'";
$res = mysql_query($link);
$total = mysql_num_rows($res);
if ($total == 0)
{
echo "The email and number combination were not found in the database please check your link.";
die;
}
// generate new password
for ($x=0;$x<7;$x++)
$password .= chr(rand(65,90));
// email new password to user
$to = $email;
$subject = 'New Password';
$message = 'Hello ' . $email . ' your new password is ' . $password;
$headers = 'From: updatedpassword@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'Reply-To: webmaster@' . $_SERVER['SERVER_NAME'] . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$go = mail($to, $subject, $message, $headers);
$password = md5($password);
//update the members table with the users new password so they can login
$a = "UPDATE memeberstable SET password='$password' WHERE email='$email'";
$b = mysql_query($a) or die(mysql_error());
if ($go)
{
echo "New Password sent to " . $to;
die;
}
} else {
echo "Please check your link";
die;
}
?>
Posted: Tue Apr 26, 2005 11:17 pm
by anthony88guy
Thanks thegreatone2176, thats very helpfull.
I made half of the script but my mail() wont send the mail. When I print $to I get my email address so it has to be with the mail function. I tried sending an email without the html same problem, so maybe its one of my headers?
Well I guess its not the code, on my forums I got this message.
Failed sending email :: PHP ::
DEBUG MODE
Line : 234
File : emailer.php
Any reasons why this might occur? Possible that the server turned off mail() function?
Posted: Wed Apr 27, 2005 3:22 pm
by thegreatone2176
you only have the headers to make it send as html you dont have all the other headers and also your server may have mail off but maybe you could paste that line where the error is and we can see and if its on the mail() function then the server probally wont allow it
Posted: Wed Apr 27, 2005 4:00 pm
by anthony88guy
But on my forum I have it send me emails when a new user signs up for me to verify them, and now that doesnt work. Plus my server is free, really crappy, I want to get hosting but waiting to finish my real site. What other headers should I have? I get no error, but also get no email.