0

I have got some script from the internet to allow the customer to reset their password if they need to but I can't seem to get it work.

This is how I have implemented it:

<?php 
    error_reporting(0);
    $EmailAddress=$_POST['EmailAddress'];

    if($_POST['submit']=='Send')
    {
        require "db.inc";
        $query="SELECT * from members WHERE EmailAddress='$EmailAddress'";
        $result=mysql_query($query) or die(error);

        if(mysql_num_rows($result))
        {
            echo "User exist";
        }
        else
        {
            echo "No user exist with this email id1";
        }
    }


    if(mysql_num_rows($result))
    {
        $code=rand(100,999);
        $message="You activation link is: http://yourwebsitename.com/forgot.php?    EmailAddress=$EmailAddress&code=$code";
        mail($EmailAddress, "Subject Goes Here", $message);
        echo "Email sent";
    }
    else
    {
        echo "No user exist with this email id2";
    }
?>

And this is the form that redirects to this page

<form method="POST" action="EmailPassword.php">
    <div class="Row">
        <div class="Lable">Email Address:</div> <!--End of Lable-->
        <div class="input">
            <input type="email" id="EmailAddress" class="detail" name="EmailAddress" placeholder="Email Address" required />
        </div> <!--End input-->
    </div> <!--End row-->

    <br />
    <div class="submit">
        <input type="submit" id="Reset" Name="submit" value="Send Password" /> 
    </div><!--End of .submit-->
</form>

The error I'm getting is

No user exists with this email id2.

Nasreddine
  • 36,610
  • 17
  • 75
  • 94
Kie21
  • 184
  • 2
  • 13
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 29 '14 at 15:14
  • 1
    You're missing all the code that tries to read the data from the URL you are sending in the email – Quentin Mar 29 '14 at 15:16
  • 1
    Yes, what @Quentin said, there has to be more code, probably between the two identical if statements (id1 and id2). – Shomz Mar 29 '14 at 15:17

1 Answers1

0

You need to write your random code into the database (or wherever you want) and bind it to user's email. Then, when users opens the activation link, you need a similar piece of code to one you have to handle it. But, this time you'll be reading the GET variables and selecting the database record that matches email and the temp code. Like this, for example: 

SELECT id FROM members WHERE EmailAddress='$EmailAddress' AND tmpCode='$code'; 
// make sure to sanitize those inputs, otherwise Bobby Tables might join in!!
// this query assumes you have a varChar field tmpCode in your members table

Only after that you can send user a new password or take them to the create new password screen.

Meet Bobby Tables

Shomz
  • 37,421
  • 4
  • 57
  • 85
  • Thanks for this. when you say write random code into the database you mean add an extra column for the random code it be inserted into? I'm new to all this. also I only have a week to hand this project in so not too bothered about security at the moment as we are not marked on this. I know it bad practice but I will be coming back to it. – Kie21 Mar 29 '14 at 15:34
  • You're welcome. Yes, adding a field to the db is one way to do it, that's what my line of code assumes. I'd suggest you start doing it right from day one, because sometimes it's hard to get rid of bad habits. Be very careful with script you find online, especially if you're not sure what and **how** they do something. For example, that script you took can be exploited and/because it uses a deprecated mysql functions (it's probably quite old - mysqli and PDO have been considered standard for a while now, learn about their prepared statements). – Shomz Mar 29 '14 at 15:37