{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 再贱就再见 的问题《forget password page, creating a generated passwor》','https://www.manongdao.com/q-226479.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to create a forgot password page. I have heard that it is not a good idea to send the original password to the user via email so I am trying to create a random confirmation password that they can use to log into their account and later change the password to whatever they want. So far the problem is it is saying the users email is not in the database when in fact it is. Also, should I update the database to store the random password or will the way I have it work? My database has the tables username, fristname, email, and password. I am asking the user for their email address in a html form then sending it to this php form. This is my first time attempting to do this so it might have a lot of errors, but I found a tutorial to help some so it shouldn't. Thanks for the help.
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Sending Password</title>
</head>
<body>
<?php
$db_server = "server";
$db_username = "name";
$db_password = "pass";
$con = mysql_connect($db_server, $db_username, $db_password);if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$database = "Test_Members";
$er = mysql_select_db($db_username);
if (!$er)
{
print ("Error - Could not select the database");
exit;
}
//include "session.php";
function createRandomPassword() {
$chars = "abcdefghijkmnopqrstuvwxyz023456789";
srand((double)microtime()*1000000);
$i = 0;
$pass = '' ;
while ($i <= 7) {
$num = rand() % 33;
$tmp = substr($chars, $num, 1);
$pass = $pass . $tmp;
$i++;
}
return $pass;
}
$password = createRandomPassword();
$password =$_P0ST['password'];
$email = $_P0ST['email'];
$tbl_name=Account_Holders;
$sql="SELECT password FROM $tbl_name WHERE email='$email'";
$result=mysql_query($sql);
// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"
$count=mysql_num_rows($result);
// compare if $count =1 row
if($count==1){
$rows=mysql_fetch_array($result);
// keep password in $your_password
$your_password=$rows['password']; //will this replace the users password with the random one? That is what I am attempting to do here.
// send e-mail to ...
$to=$email;
// Your subject
$subject="Your Password";
// From
$header="from: Feed The Students";
// Your message
$messages= "Your password for login to our website \r\n";
$messages.="Your password is $your_password \r\n";
$messages.="Please change this password for security reasons. Thank you. \r\n";
// send email
$sentmail = mail($to,$subject,$messages,$header);
}
// else if $count not equal 1
else {
echo "Sorry we did not find your email in our database.";
}
// if your email succesfully sent
if($sentmail){
echo "Your password has been sent to your email address.";
}
else {
echo "We can not send your password at this time.";
}
?>
</body>
</html>
I suggest: 1 - The user click forgot pass, and write the username and/or email. You check if username and/or email exists on your database, if true, generate a random code and store it on your database. 2 - Send the user a email with a link like: wwww.yourwebsite.com/forgot?recovery=CODEGENERATED 3 - The user click the link, and you check if the code exists on your DB, if true, show a form to fill the new password. The user fill, and your save ate DB. 4 - Done.
An question: Why you request the user to fill the password field, if he don't have the password?
And, why not use:
instead:
And, why these two lines:
The first generate a new password, but you set the value posted on the same variable..
A few problems to note:
Right after you create your $password variable with createRandomPassword() you overwrite it with the value in $_POST['password'].
You need to put quotation marks around your assignment of $tbl_name, ie:
$tbl_name = "Account_Holders";
That's probably why you're not finding the user's email in the db.
If you're going to email a new password to the user then you will want to update that in the database so that when they go to log in with the new password it will match what's in the db. In order to do that you need to use an update statement:
UPDATE Account_Holders SET Password = '$password' WHERE Email = '$email';
Note: It's generally not a good idea to store passwords in a database unencrypted. What's typically done is the password is first encrypted and then stored in the db that way. When you go to validate the user's login credentials, encrypt the password they send with the same encryption algorithm and compare against what's in the database.
As far as I can see there is nothing wrong with your query but not putting your $tbl_name value in quotes probably isn't helping. Also, have you doubled checked the name attribute on the email input is definitely email too and that it all matches up correctly?
The way I usually do it is like this, when they request a new password, generate a token along with their user id and email. Send them an email with a link, something like the following:
example.com/reset/?id=THERE_ID&token=RANDOM_TOKENThen on that page check they match up and if it does, let them enter a new password.
In all honesty, you shouldn't even be storing raw passwords in your db anyway, you want to look up things like
hash_hmacand password salts - there should be other links somewhere on those types of pages for you to figure it all out with the tutorials/examples.And as a final note, always validate your user input (regex for example), since you're using
mysql_queryyou always want to be escaping inputs too withmysql_real_escape_string- a preferred method for querys is to use prepared statements, these are very good to stop accidents such as little bobby tables coming to your site.First of all, you shouldn't be storing the users' passwords in your database - not in cleartext, anyways. I'm going to address this before addressing the password reset problem since they're connected.
A common technique is to transform the password using a one-way hash algorithm with a salt (see Wikipedia Definition of Salt for more info), and then when users attempt to login, to perform the same encryption and compare the hashes.
To make things even more complex, try changing the salt on every hash.
Here's a step-by-step method that I use:
A function creates a random salt and then encrypts the password, in this case, using SHA256 algorithm and using a randomly created salt.
$password_salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));$password_hash = hash('sha256', $salt . $password);Save the $password_hash and the $password_salt to the users table. These will be used later to authenticate the user when they attempt to login in the future.
When the user logs in, check the username/email/login and if found, grab the hash and salt from the users table and compare the password hash from the db to the hash returned from performing the same function on what they entered as their password.
$salt = $user_record['password_salt'];$entered_hash = hash('sha256', $salt . $entered_password);In the case above, if $entered_password_hash == $user_record['password_hash'] ($user_record, being what comes from your db) then the password is validated.
Note To make things more complex, I actually store the password hash and the salt in the same field in the db. You can concat them together, one way or the other so if your database is compromised, the password field is effectively useless for retrieving user passwords.
Now when you want to address forgotten passwords, you can create a random password but that's still going to be emailed to the user, which isn't a good idea, even for a temporary password. I would suggest emailing the user a link to click, leading them to a password reset page. Here are a few steps for that process:
For more info (and probably a better explanation of the password hashing technique, have a look at This post by HeyBigName. It's based on CodeIgniter, but the functions contained are universally applicable.