Help with Forgot Password page

General PHP Help
#1

I have a recovery help page where the user submits his/her email and then is sent the password. The problem that I am having is that the password is MD5 encrypted. Can someone help me with this code so that the password is sent to the user?

[php]<?php

if(ereg("memberforgotpassword.php",$_SERVER['PHP_SELF'])){
	@header("Location:index.php");
	die("<script>window.location='index.php';</script>"); //js redirect backup
}

//if post => process form
if(isset($_POST['email']) && $_POST['email'] != ""){
	$sql = sprintf("select email, password from members where email = '%s' ", mysql_real_escape_string($_POST['email'], $mysql->conn));
	$result = $mysql->exSql($sql) or die($mysql->debugPrint());	
	if(mysql_num_rows($result)>0){
		$row = mysql_fetch_assoc($result);
		//Validate that admin email & member's email are valid
		if(validEmail($row['email']) && validEmail($settings['email'])){
			//send message
			$to = $row['email'];				
			$headers = sprintf("From: %s\r\nReply-To: noreply@%s\r\nX-Mailer: PHP/%s", $settings['email'], str_replace("www.","",str_replace("http://","",$settings['domain'])), phpversion());				
			$emailXtpl =  new XTemplate("emailmessages/forgotpassword.xtpl", SKIN);
			$emailXtpl->assign('row',$row);
			$emailXtpl->assign('settings',$settings);
			$emailXtpl->parse('main.subject');
			$emailXtpl->parse('main.body');
			$subject = $emailXtpl->text('main.subject');
			$message = $emailXtpl->text('main.body');
			
			if(@mail($to,$subject,$message,$headers)){
				$xtpl->parse('main.passwordsent');				
			}else{
				$xtpl->assign('error','Please contact webmaster [Failed to send message]');
				$xtpl->parse('main.forgotpassword.error');
				$xtpl->parse('main.forgotpassword');					
			}		
		}else{
			$xtpl->assign('error','Please contact webmaster [Invalid Email(s)]');
			$xtpl->parse('main.forgotpassword.error');
			$xtpl->parse('main.forgotpassword');			
		}

	}else{
		$xtpl->assign('error','Email address not found');
		$xtpl->parse('main.forgotpassword.error');
		$xtpl->parse('main.forgotpassword');
	}
}else{
	$xtpl->parse('main.forgotpassword');
}

?>[/php]

#2

If you are only storing it with md5 encrypted, you cannot send them the original password. The point of md5 is the fact that it cannot (technically) be decrypted. You will have to create a form for them to reset their password, unless of course you send them the MD5 version and your login form accepts MD5 versions of passwords!

#3

Thank you very much for your help.

#4

Ok - I was able to setup the forgot password page where the users inputs his/her email. The scripts sends a an email with the new temporary password but does not update the database password for the member to login. Any ideas what I am doing wrong?

[php]<?php

if(ereg("forgotpassword.php",$_SERVER['PHP_SELF'])){
	@header("Location:index.php");
	die("<script>window.location='index.php';</script>"); //js redirect backup
}

//if post => process form
if(isset($_POST['email']) && $_POST['email'] != ""){
	$sql = sprintf("select email, password from members where email = '%s' ", mysql_real_escape_string($_POST['email'], $mysql->conn));
	$result = $mysql->exSql($sql) or die($mysql->debugPrint());	
	if(mysql_num_rows($result)>0){
		$row = mysql_fetch_assoc($result);
		
		function createRandomPassword() {
		    $chars = "abcdefghijkmnopqrstuvwxyz023456789";
		    srand((double)microtime()*1000000);
		    $i = 0;
		    $pass = '' ;
		    while ($i <= 7) {
		        $num = rand() % 33;
		        $tmp = substr($chars, $num, 1);
		        $pass = $pass . $tmp;
		        $i++;
		    }
		    return $pass;
		}
		$password = createRandomPassword();
		$row['password'] = $password;
		
		//update password
		$sql = sprintf("update members set password = $password where email = '%s' and password = '%s'", mysql_real_escape_string($_POST['email'], $mysql->conn), mysql_real_escape_string (md5($_POST['password']), $mysql->conn));
		$mysql->exSql($sql) or die($mysql->debugPrint());;

		
		
		//Validate that admin email & member's email are valid
		if(validEmail($row['email']) && validEmail($settings['email'])){
			
			
			//send message
			$to = $row['email'];				
			$headers = sprintf("From: %s\r\nReply-To: noreply@%s\r\nX-Mailer: PHP/%s", $settings['email'], str_replace("www.","",str_replace("http://","",$settings['domain'])), phpversion());				
			$emailXtpl =  new XTemplate("emailmessages/forgotpassword.xtpl", SKIN);
			$emailXtpl->assign('row',$row);
			$emailXtpl->assign('settings',$settings);
			$emailXtpl->parse('main.subject');
			$emailXtpl->parse('main.body');
			$subject = $emailXtpl->text('main.subject');
			$message = $emailXtpl->text('main.body');
			
			if(@mail($to,$subject,$message,$headers)){
				$xtpl->parse('main.passwordsent');			
			}else{
				$xtpl->assign('error','Please contact webmaster [Failed to send message]');
				$xtpl->parse('main.forgotpassword.error');
				$xtpl->parse('main.forgotpassword');					
			}		
		}else{
			$xtpl->assign('error','Please contact webmaster [Invalid Email(s)]');
			$xtpl->parse('main.forgotpassword.error');
			$xtpl->parse('main.forgotpassword');			
		}

	}else{
		$xtpl->assign('error','Email address not found');
		$xtpl->parse('main.forgotpassword.error');
		$xtpl->parse('main.forgotpassword');
	}
}else{
	$xtpl->parse('main.forgotpassword');
}

?>[/php]

#5

Once I figured out your UPDATE code (I never use the %s’ because they are so hard to read!),

I notice you have ‘UPDATE table set field=$variable…’

Shouldn’t it be ‘UPDATE table set field=’$variable’…’

Or as I do it "UPDATE table set field=’ " . $variable . " '…

I am sure you need a quote or quotes around the data to be updated…

#6

I have updated the update password with this code but the database still does not update. Not sure what is wrong.

[php]//update password
$sql = sprintf(“update members set password = ‘$password’ where email = ‘$email’ and password = ‘$password’”, mysql_real_escape_string($_POST[‘email’], $mysql->conn), mysql_real_escape_string (md5($_POST[‘password’]), $mysql->conn));
$mysql->exSql($sql) or die($mysql->debugPrint());;[/php]

#7

Dump the string printf’s they are useless. Same as the extra “;” you have on the execute line.
Replace your code with this and let me know if it works for you.
You should “echo(sql);” on your page before executing it to see if the actual query is what you want it to be.

[php]
//update password

$sql = “UPDATE members SET password = '” . $password . “’ WHERE email = '” . $email . “’ AND password = '” . $password . “’)”;

$mysql->exSql($sql) or die($mysql->debugPrint());;
[/php]

Not sure how you are doing this call… But here is how I do an update. This is the entire code for updating including the connection strings. Most people on the internet use something similar. Maybe it will help you streamline your code. The first part, before the update is used once and then all queries are done before closing the connection. In this way, you can have an UPDATE section and a DELETE section and an ADD section with if’s to determine which button was pressed… Good luck…
[php]
// Set up database connection…
$hostname = “your. host.com”;
$username = “yourDBusername”;
$password = “databasepassword”;
$dbname = “DBname”;
$dbConn = mysql_connect( $hostname, $username, $password );
@mysql_select_db($dbname); //database is open and ready for SQL commands…

// Connection now open, Handle any buttons pressed from previous FORM page…
if(isset($_POST[‘UpdateButton’])) {

// Update button was pressed, update the form’s data…
$query = “UPDATE members SET password = '” . $password . “’ WHERE email = '” . $email . “’ AND password = '” . $password . “’)”;

$dbResults = mysql_query ( $query, $dbConn );

// Check results to see if successful...

if (mysql_affected_rows()==0) {
echo “Query Not Completed!”;

// Check for delete button…
if(isset($_POST[‘DeleteButton’])) {
// Delete the data…
$query = “DELETE FROM members WHERE name = '” . $_POST[‘DeleteName’] . “’”;
$dbResults = mysql_query ( $query, $dbConn );

// Check results to see if successful...

if (mysql_affected_rows()==0) {
echo “Query Not Completed!”;

// All database access is completed, close database connection…
mysql_close( $dbConn );
}
[/php]
(I use CAPS for commands inside of queries as it is easier to read.) Good luck!

Sponsor our Newsletter | Privacy Policy | Terms of Service