Page 1 of 1

Sending email for forgotten password

Posted: Tue Dec 29, 2009 10:05 pm
by kennedysee
The program works with sending via email with the real password that exists in database...

Can anyone help me with sending a random password to the email instead of showing the real password out?

Thanks...

forgot_password.php
<table width="380" border="0" cellpadding="3" cellspacing="1" >
<tr>
<td width="33%"><strong>Enter your email : </strong></td>
<td width="67%"><form name="form1" method="post" action="send_password_ac.php">
<input name="email_to" type="text" id="mail_to" size="25">
<input type="submit" name="Submit" value="Submit">
</form>
</td>
</tr>
</table>


send_password_ac.php
<?php

$host="localhost"; // Host name
$username="root"; // Mysql username
//$password=""; // Mysql password
$db_name="registration"; // Database name


//Connect to server and select databse.
mysql_connect("$host", "$username")or die("cannot connect to server");
mysql_select_db("$db_name")or die("cannot select DB");

// value sent from form
$email_to=$_POST['email_to'];

// table name
$tbl_name=user;

// retrieve password from table where e-mail = $email_to(mark@phpeasystep.com)
$sql="SELECT password FROM $tbl_name WHERE email='$email_to'";
$result=mysql_query($sql);

// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"
$count=mysql_num_rows($result);

// compare if $count =1 row
if($count==1){

$rows=mysql_fetch_array($result);

// keep password in $your_password
$your_password=$rows['password'];

// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email_to;

// Your subject
$subject="Your password here";

// From
$header="from: your name <your email>";

// Your message
$messages= "Your password for login to our website \r\n";
$messages.="Your password is $your_password \r\n";
$messages.="more message... \r\n";

// send email
$sentmail = mail($to,$subject,$messages,$header);

}

// else if $count not equal 1
else {
echo "Not found your email in our database";
}

// if your email succesfully sent
if($sentmail){
echo "Your Password Has Been Sent To Your Email Address.";
}
else {
echo "Cannot send password to your e-mail address";
}

?>

Re: Sending email for forgotten password

Posted: Wed Dec 30, 2009 12:04 am
by manojsemwal1
Why u use random password..............

Re: Sending email for forgotten password

Posted: Wed Dec 30, 2009 1:16 am
by kennedysee
For security purpose, its not nice to reveal out the password..

Re: Sending email for forgotten password

Posted: Wed Dec 30, 2009 5:34 am
by kaisellgren
Many websites generate a random token, send it to the email as a link (like http://www.site.com/reset.php?token=...) and then they are offered a form to reset their password.

This token should time out after certain period, be only usable to a certain account and may be used only once.

Re: Sending email for forgotten password

Posted: Wed Dec 30, 2009 6:38 pm
by penkomitev
You have a bigger problem than the random password generation. You are storing password as plain text which is very crappy.
You have to use some sort of hashing or encryption to boost security.

I would recommend the following and you choose whichever way to go:

First suggestion:

By the time users sign up, you generate a tokeb and store it in a special column so that it is located in the user data.

As a user requests a password recovery, you send him a link where the token is a parameter. When the user successfully changes their password, it is advisable that you generate a new token.

I do not really fancy the idea of using random passwords, but if you want that, the only difference with the example above is that you have to generate new password, overwrite it to the password field. I suppose you have a password change form, the user could use it to change the temporary password.