PHP Password Reset Script

Question

gilgil2 0 Junior Poster in Training

12 Years Ago

Hi I am trying to write a password reset script. An email with a link is sent to the user, and then if the username and a 32 character string in the link match the info in the database they can change the password for that account. Here is what I've got so far:

   <?php
    session_start();
    error_reporting(E_ALL ^ E_NOTICE);

    if (isset($_GET['x'])) {
        $x = $_GET['x'];
    } else {
        $x = 0;
    }
    if (isset($_GET['y'])) {
        $y = $_GET['y'];
    } else {
        $y = 0;
    }

    if (strlen($y) > 0) {

    echo '<form action="reset.php" method="post">

        <p><input type="password" name="password1" size="30" maxlength="40" />Password</p>

        <p><input type="password" name="password2" size="30" maxlength="40" />Confirm Password</p>

        <p><input type="submit" name="submit" value="Reset" /></p>
    </form>';

    }
    else {

        echo 'Link not valid!';

    }


    if (isset($_POST['password1']) && isset($_POST['password2'])) {
            if ($_POST['password1']=$_POST['password2']) {

    $realp = $_POST['password1'];

        $link = mysql_connect('', '', ''); 
    if (!$link) { 
        die('Could not connect: ' . mysql_error()); 
    } 
    mysql_select_db(); 

    $query = "UPDATE users SET password=$realp WHERE (username='" . $x . "'  AND password='" . $y . "') LIMIT 1";  
        $result = mysql_query($query);

        if (mysql_affected_rows() == 1) {

            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }

            }
    }


    ?>

When I test it it says the password could not be changed...

Thanks for any help
Gilgil

php

2 Contributors
3 Replies
1K Views
3 Hours Discussion Span
Latest Post 12 Years Ago Latest Post by iamthwee

iamthwee

12 Years Ago

I've not really looked at it but line 36 looks like you need two equal signs ==

Additionally, it would be a damn good idea to at least encrypt your passwords, one time hashes such as MD5 seem popular ATM.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

gilgil2 0 Junior Poster in Training · Answer 1 · 2012-09-11T15:35:50+00:00

Hi thanks for the reply, I tried == but it still does not work.

Ye the passwords are encrypted I just took that bit out to simplify the reset script until I get it working.

iamthwee · Answer 2 · 2012-09-11T16:48:20+00:00

Try this:

if (isset($_POST['password1']) && isset($_POST['password2'])) 
    {
       if ($_POST['password1']== $_POST['password2']) 
       {
          $realp = $_POST['password1'];
          echo($realp);
          $link = mysql_connect('localhost', 'root', ''); 

         if (!$link) 
         { 
          die('Could not connect: ' . mysql_error()); 
         } 

        mysql_select_db(''); 

        $query = "UPDATE users SET password='$realp' WHERE (username='$x') LIMIT 1";  
        $result = mysql_query($query);


        if (mysql_affected_rows() == 1) 
        {
            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } 
        else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }
        }
    }