5 Replies - 774 Views - Last Post: 06 April 2016 - 06:32 PM Rate Topic: -----

#1 JDavidson08   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 06-April 16

Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 01:06 PM

I am currently using a script from http://megarush.net/...-password-php/. I have been using a lot of trial and error, and my most recent error is 'error occurred' however no mysqli errors appear. I have echoed a few variables and checked whether some are actually set. The $query and $pass variables both seem to be there, it just seems to stop when it gets to the update token part, however neither the user or token tables update! :surrender:/> Any ideas to what's going is appreciated!! :smile2:

forgot.php
<?php require 'header.php'; 
if(!isset($_GET['email'])){
	                  echo'<form action="forgot.php">
	                      Enter Your Email Id:
	                         <input type="text" name="email" />
	                        <input type="submit" value="Reset My Password" />
	                         </form>'; exit();
				       }
$email=$_GET['email'];
 $sql = "SELECT email FROM user WHERE email='$email'";
         $query = $mysqli_conn->query($sql);
        if ($query->num_rows == 0) {
echo "Email id is not registered"; die();}
$token=getRandomString(10);
$sql="INSERT INTO `tokens` (`token`, `email`) VALUES ('{$token}','{$email}')";
$query = $mysqli_conn->query($sql);
function getRandomString($length) 
	   {
    $validCharacters = "ABCDEFGHIJKLMNPQRSTUXYVWZ123456789";
    $validCharNumber = strlen($validCharacters);
    $result = "";
 
    for ($i = 0; $i < $length; $i++) {
        $index = mt_rand(0, $validCharNumber - 1);
        $result .= $validCharacters[$index];
    }
	return $result;}
 function mailresetlink($to,$token){
$subject = "Forgot Password";
$uri = 'http://'. $_SERVER['HTTP_HOST'] ;
$message = '
<html>
<head>
<title>Forgot Password</title>
</head>
<body>
<p>Click on the given link to reset your password <a href="'.$uri.'/project/reset.php?token='.$token.'">Reset Password</a></p>

</body>
</html>
';
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
$headers .= 'From: Admin<[email protected]>' . "\r\n";
$headers .= 'Cc: [email protected]' . "\r\n";

if(mail($to,$subject,$message,$headers)){
	echo "We have sent the password reset link to your  email id <b>".$to."</b>"; 
}}

if(isset($_GET['email']))mailresetlink($email,$token);
?>




reset.php

<?php error_reporting(E_ALL); ini_set('display_errors', 1);
require 'header.php';
if (isset($_GET['token'])) {

$token = $_GET['token'];

$sql = "SELECT email FROM tokens WHERE token='" . $token . "' and used=0";
$query = $mysqli_conn->query($sql)  or die(mysqli_error($mysqli_conn));

    if(mysqli_num_rows($query) > 0){

        while ($row = mysqli_fetch_array($query)) {

            $email = $row['email'];
            $_SESSION['email'] = $email;

        }

    }

}

if(!isset($_POST['password'])){
echo '<form method="post">
enter your new password:<input type="password" name="password" />
<input type="submit" value="Change Password">
</form>
';}

if (!empty($_POST['password']) && isset($_SESSION['email'])) {
    $pass=$_POST['password'];
  $pass = password_hash($pass, PASSWORD_DEFAULT);
  $sql = "UPDATE user SET password= '$pass' where email='$email'";
  $query = mysqli_query($mysqli_conn, $sql) or die(mysqli_error($mysqli_conn));

  if (isset($pass)){
   echo 'ahhpy';
  }
  else {
    echo "An error occured: " . mysqli_error($mysqli_conn);
    }


}
?>



Is This A Good Question/Topic? 0
  • +

Replies To: Forgot password script- mail part working, but reset link isn't

#2 JDavidson08   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 06-April 16

Re: Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 01:12 PM

I put the wrong code for reset.php!!!

<?php error_reporting(E_ALL); ini_set('display_errors', 1);
require 'header.php';
if (isset($_GET['token'])) {

$token = $_GET['token'];

$sql = "SELECT email FROM tokens WHERE token='" . $token . "' and used=0";
$query = $mysqli_conn->query($sql)  or die(mysqli_error($mysqli_conn));

    if(mysqli_num_rows($query) > 0){

        while ($row = mysqli_fetch_array($query)) {

            $email = $row['email'];
            $_SESSION['email'] = $email;

        }

    }

}

if(!isset($_POST['password'])){
echo '<form method="post">
enter your new password:<input type="password" name="password" />
<input type="submit" value="Change Password">
</form>
';}

if (!empty($_POST['password']) && isset($_SESSION['email'])) {
    $pass=$_POST['password'];
  $pass = password_hash($pass, PASSWORD_DEFAULT);
  $sql = "UPDATE user SET password= '$pass' where email='$email'";
  $query = mysqli_query($mysqli_conn, $sql) or die(mysqli_error($mysqli_conn));

  if (mysqli_affected_rows($mysqli_conn)){
    mysqli_query($mysqli_conn, "UPDATE tokens SET ``used`=(`used`+1) WHERE `token`='$token'");
      echo "Your password is changed successfully";
  }
  else {
    echo "An error occured: " . mysqli_error($mysqli_conn);
    }


}
?>

Was This Post Helpful? 0
  • +
  • -

#3 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2542
  • View blog
  • Posts: 10,186
  • Joined: 03-December 12

Re: Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 01:39 PM

The first thing to do is to turn on error reporting, either in the scripts themselves or on your local machine:
error_reporting(E_ALL);
ini_set('display_errors', 1);


Next, any code when dealing with the database needs to be wrapped in try catch statements to access and control exceptions thrown, whether they come from the connection or the queries themselves.

Also, droping variables into the query statement is dangerous; not just from a security stand point, but from the query statement stand point. For instance,

$str = "What's your name?";

$query = "INSERT INTO questions (question) VALUES ('$str')";


The statement above will throw a SQL exception. It is best to use prepared statements to prevent this without using the old and nonhelpful MySQL_real_escape_string()
Was This Post Helpful? 1
  • +
  • -

#4 JDavidson08   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 06-April 16

Re: Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 01:52 PM

Error reporting is now on the forgot.php script also. I've played around with the code again and changed the bottom part to
if(isset($query)) {
    mysqli_query($mysqli_conn, "UPDATE tokens SET ``used`=(`used`+1) WHERE `token`='$token'");echo "Your password is changed successfully";
if(!isset($query))echo "An error occurred";
}


I'm now getting the error 'Notice: Undefined variable: email on line 65 Your password is changed successfully'

I'm quite a beginner to PHP, in terms of the try and catch, which statements should I put this around? And how could this be implemented? Thanks :surrender:
Was This Post Helpful? 0
  • +
  • -

#5 JDavidson08   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 06-April 16

Re: Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 02:19 PM

Another update: played around AGAIN- I know :sweatdrop:

if (!empty($_POST['password']) && isset($_SESSION['email'])) {
    $password=$_POST['password'];
  $password = password_hash($password, PASSWORD_DEFAULT);
  $sql = "UPDATE user SET password= '$password' where email='$email'";
  $query = mysqli_query($mysqli_conn, $sql) or die(mysqli_error($mysqli_conn));
  
if(isset($query)) {
    mysqli_query($mysqli_conn, "update tokens set used=1 where token='".$token."'");echo "Your password is changed successfully";
if(!isset($query))echo "An error occurred";
}


THIS manages to at least change the 'used' field in 'tokens' to 1.... But still needing the password updated <_<
Was This Post Helpful? 0
  • +
  • -

#6 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2542
  • View blog
  • Posts: 10,186
  • Joined: 03-December 12

Re: Forgot password script- mail part working, but reset link isn't

Posted 06 April 2016 - 06:32 PM

I am not a fan of mysqli_ anything, I would recomment switching to PDO. There is a tutorial here on proper usage.


Utilizing a prepared statement your token update should look something like this:
$sql = "update tokens set used= (used + 1) where token= ?";
$stmt = $pdo->prepare( $sql );
$stmt->execute([$token]);


Similarly, the password update would like like this.
$sql = "UPDATE user SET password= ? where email= ?";
$stmt = $pdo->prepare( $sql );
$stmt->execute([$password, $email]);


Was This Post Helpful? 0
  • +
  • -

Page 1 of 1