-1

Say a user of mine has entered their email into a reset password form, they get sent a email with a link that will bring them to the page above with special codes in their link

For example -

http://mylink.com/resetpassword.php?email=blabla@gmail.com&code=2384753

When I try to use $_GET['email'] to get the email from the link and check it with a query it doesn't work

Here is part of my code:

$email = $_GET['email'];

$check = mysqli_query($conn, "SELECT * FROM users WHERE email='$email' ");

if(mysqli_num_rows($check) == 1){

mysqli_query($conn, "UPDATE users SET password='$password' ");

}else{
    echo "failed 2";
}

But I get the failed 2 error. and I'm pretty sure it's because when I click submit all of the extras in the link go away and its just resetpassword.php

When I turn on error reporting the following appears -

Notice: Undefined index: email in /var/www/resetpass.php on line 6

Does anyone know what the problem could be?

Abijeet Patro
  • 2,842
  • 4
  • 37
  • 64
ryan2138
  • 1
  • 3
    well, for one thing I hope that's not really your update statement, that will update the passwords for EVERY user in users... – dbinns66 Apr 10 '15 at 17:49
  • Please use the MySQLi error checking methods to get the real error(s).. – Jay Blanchard Apr 10 '15 at 17:50
  • Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Apr 10 '15 at 18:48
  • nothing happens, I added the error reporting to the top, as soon as I hit submit it just says this: **Notice: Undefined index: email in /var/www/resetpass.php on line 6** And I think it's because once you hit submit all the extras after the ? in the link go away. – ryan2138 Apr 11 '15 at 01:20
  • @ryan2138 - Did you bother checking my answer? I've also cleaned up your answer and added some more info that you had added in the comments, see if you can get it reopened. – Abijeet Patro Apr 11 '15 at 19:52
  • Can you also show us somw more part of your email sending script – frunkad Apr 12 '15 at 04:56

2 Answers2

0

You need to URL encode the @ symbol and then decode it

echo urlencode('blabla@gmail.com');
//outputs blabla%40gmail.com

You also need to realize that you're passing values directly to SQL which leaves you wide open for SQL injection

And finally you have to have a WHERE statement. In this case, I'm going to assume you've already sanitized $email and $password (you REALLY need to consider password_hash for that)

mysqli_query($conn, "UPDATE users SET password='$password' WHERE email='$email' ");
Machavity
  • 30,841
  • 27
  • 92
  • 100
  • 1
    Not to mention the UPDATE query will UPDATE **ALL PASSWORDS** – Jay Blanchard Apr 10 '15 at 17:51
  • so where I send the email should I just add "urlencode('$email');? $email = to the email that the message is sent to – ryan2138 Apr 10 '15 at 17:59
  • Yes. Encode it in the email and then `urldecode` it in your processing page – Machavity Apr 10 '15 at 18:01
  • okay, but it still doesn't work. I've added urldecode('$email'); to inside the resetpass.php script (inside the if(isset($_POST['submit'])) script ). I also added WHERE email='$email' to the mysqli query, but now whenever I try to update the password nothing updates in the database. – ryan2138 Apr 10 '15 at 18:04
0

When I would suggest you do is that when the resetpassword.php page loads, you check if email and code are valid (via checks in the database) and then put these values inside a hidden field in the form on the resetpassword page.

When you are doing a submit, you're $_GET vanishes because your form's action tag is just resetpassword.php and there are no $_GET variables in that action tag.

Abijeet Patro
  • 2,842
  • 4
  • 37
  • 64