-2

I found a tutorial password-reset function that I could use for my website, so I downloaded the files and played around with the code. I didn't like theirs that much, so I deleted almost all of it and kept the important parts. Anyway, I downloaded it from here, and unfortunately now it isn't working.

Whenever I type in an email, no matter what it is, it says, "Invalid email." Any help will be appreciated. Also, I am a slight noob at PHP, but I understand all of the code here. My code is below:

<?php include "base.php"; ?>
 <html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>
<link rel="stylesheet" href="style.css" type="text/css" />
<link rel="stylesheet" href="style2.css" type="text/css" />
<link href="favicon.ico" rel="icon" type="image/x-icon" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Forgot Password</title>
</head>
<body>

    <div id="main"><h1>Forgot Password</h1>

    <p>If you forgot your password, please enter the email associated with your account, and we will send you a reset link.</p>

        <form action="" method="post" name="passwd" id="passwd">
        <fieldset>
            <label for="emailadd"><div>Email Address:</div></label><input id="emailid" name="emailid" type="text" placeholder="Your Account's Email"><br>
            <input type="submit" value="Reset Password" />
        </fieldset>
        </form>
        </div>

<?php

    if(!empty($_POST['emailid']))
    {
        $emailaddress = mysqli_real_escape_string($_POST['emailid']);
        if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $emailaddress))  // Validate email address
       {
            echo '<p id="msg"><center>That is an invalid email address. Please try again.</center></p>';
        }
        else
        {
            $query = "SELECT UserID FROM users where  EmailAddress='".$emailaddress."'";
            $result = mysqli_query($query);
            $Results = mysqli_fetch_array($result);

           if(count($Results)==1)
            {
                $encrypt = md5(XXXXXXXXXXXXXXXXXXX);
                echo '<p id="msg"><center>Your password reset link has been sent to your email.</center></p>';
                $to=$emailaddress;
                $subject="Forgot Password";
                $from = 'no-reply@XXXXXXXXXXXX.com';
                $body='Hello, <br/> <br/>Your Membership ID is:   '.$Results['id'].' <br><br>Click <a href="http://XXXXXXXXXXX.com/home/forgot/reset.php?encrypt='.$encrypt.'&action=reset">here</a> to reset your password, or follow the link below:<br><br>http://XXXXXXXXXXXX.com/home/forgot/reset.php?encrypt='.$encrypt.'&action=reset <br/> <br/>--<br>XXXXXXXXXXXX<br>Games, Tools, and so much more!';
                $headers = "From: " . strip_tags($from) . "\r\n";
                $headers .= "Reply-To: ". strip_tags($from) . "\r\n";
                $headers .= "MIME-Version: 1.0\r\n";
                $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

                mail($to,$subject,$body,$headers);

            }
            else
            {
                echo '<p id="msg"><center>Account not found. Please try again.    </center></p>';
            }
        }
    } elseif(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username'])) {

        echo "<meta http-equiv='refresh'              content='0;http://www.XXXXXXXXXXXX.com/home/main.php'/>";

    } else {

    }
//    include("html.inc"); 
?>

</body>
</html>

P.S. Base.php connects to my database, and the Xs represent either my encryption or my website address.

Thanks in advance!

user4775991
  • 127
  • 2
  • 14
  • which test its it failing, i see 3 options –  Feb 15 '16 at 02:50
  • Where are other two options. I can't see them. –  Feb 15 '16 at 03:01
  • `if(!empty($_POST['emailid']))`, `if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $emailaddress))`, `if(count($Results)==1)` –  Feb 15 '16 at 03:16

1 Answers1

1

The following functions are failing you:

  • mysqli_real_escape_string($_POST['emailid'])
  • mysqli_query($query)

Both those functions require that a db connection be passed to it and as the first parameter.

References:

Also make sure you did start the session, seeing you are using them.

Reference:

Footnotes:

If you noticed in that tutorial link that you say you followed http://www.phpgang.com/how-to-create-forget-password-form-in-php_381.html

They are passing a connection to both of those functions:

$encrypt = mysqli_real_escape_string($connection,$_GET['encrypt']);

and

$result = mysqli_query($connection,$query);

So, you need to follow that tutorial to a "T", something you did not do.

Do that, and modify your database to suit that tutorial with their code and the column types, proper lengths etc.

Oh, and MD5 isn't considered safe to use as a password hashing function.

Use one of the following:

Other links:

Important sidenote about column length:

If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

as well as or die(mysqli_error($connection)) to mysqli_query().

Something you did not show us was which MySQL API you're using to connect with.

"P.S. Base.php connects to my database, and the Xs represent either my encryption or my website address."

Make sure you are using the MySQLi API to connect with, seeing you're using mysqli_query() and not mysql_ or PDO.

  • Different APIs do not intermix.

Consult the following:

You also need to make sure that mail is available for you to use.

If not, then that is beyond the scope of this question.

Changing 

mail($to,$subject,$body,$headers);

to

if(mail($to,$subject,$body,$headers)){
   echo "Mail sent";
}
else {
   echo "Error";
}

and seeing "Mail sent", will mean that mail() has done its job.

If you see "Error", then you need to find out "why" that is.

Again, "out of scope" of the question.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thanks, I will review your edits before marking it correct, but I appreciate the feedback! – user4775991 Feb 15 '16 at 04:06
  • What did you mean when you said "update your database with their columns?" – user4775991 Feb 15 '16 at 14:20
  • @Blube what I meant was, use their code as shown. Yet if you changed column names as opposed to theirs for the table/column creation codes, make sure everything matches. Plus, MySQL will fail silently if the column lengths are not long enough. There isn't anything else I can add here, sorry. – Funk Forty Niner Feb 15 '16 at 14:22
  • Yes, I did update column names and such. Anyway, thank you for your help! – user4775991 Feb 15 '16 at 14:23
  • @Blube you're welcome. As I stated in my answer, you did not pass the db connection parameter to those 2 functions, as per shown in the links I've left in there in order for you to see what the syntax is. Also pointed out is that you can't mix `mysql_` with `mysqli_` functions, if your connection to your db is `mysql_` instead of `mysqli_` which as I said, is unknown. I also included methods for you to use to check for errors for PHP and MySQL. Use that and you will see what's happening. Also use `var_dump();` to see what's going through or not. Good luck. *Cheers* – Funk Forty Niner Feb 15 '16 at 14:26