Password recovery mail by PHP is not working

Question

I am trying to create a script to recover passwords by mail, but it does not work. Previously It came with an error that the e-mail was invalid. Now its ends me the mail but with the encrypted password in it.

Please help me to decrypt the password Any lead for this error is highly appreciable

  <?php
    require_once("config.php");    //Database Connection

    //Catch Field Data
    $email     =     $_POST['email'];
    $submitted    =    $_POST['submitted'];

    if($email) {
        $query        =    printf("SELECT * FROM registration where email='$email'");
        $result        =    mysql_query($query);
        $rowAccount    =    mysql_fetch_array($result);
    }

    if ($rowAccount) {

        $subject = "Your goprestige Username / Password Reminder";
        $headers = "From: info@abc.com";
        $fname = $rowAccount['fname'];
        $password = $rowAccount['password'];
        $msg = "<h1>My abc Admin</h1>
        <p>Hello '$user'!</p>
        <p>Here is the username/password reminder you requested. If you didn't request this reminder then don't panic too much, the likely hood of someone gaining access is minimal. Thank you abc </p>
        <p>Username: '$fname'</p>
        <p>Password: '$password'</p>
        <p>Many thanks, the abc Support Team.</p>
        ";

        $success = mail($email, $subject, $msg, $headers);

        if($success) {
            echo "<p id=errors>Reminder Success: Your Username and Password have been emailed to $email";
        }
    } else ($submitted) {
        echo '<p id="errors">Reminder Failed: The email you entered was not found on the system, please try again.</p>';
    }
?>

HTML

 <form class="form-horizontal ct-u-paddingBottom20" action="php/forget.php" method="post" id="passwd" style="display:none;">
                          <div class="form-group">
                                <label for="username" class="col-sm-2 control-label">Useremail: </label>
                                <div class="col-sm-10">
                                    <input type="text" class="form-control" id="email" name="email" placeholder="enter your email id" required>
                                </div>
                            </div>
                          <div>
                              <center>
                                  <span style="color:green;display:none;" class="success-footer"><h4 style="margin-left: 0px;">password link is sent  </h4></span>
                                  <span style="color:orange;display:none;" class="error-footer"><h4 style="margin-left: 0px;">invalid email</h4></span>
                                </center>
                          </div>
                          <div class="form-group">
                                <div class="col-sm-offset-2 col-sm-10">
                                     <p><input type="submit" value="Reset Password" /></p>
                                </div>
                            </div>


                       </form>

Javascript

<script type="text/javascript">

          var frm = $('#passwd');
          frm.submit(function (ev) {
              $.ajax({
                  type: frm.attr('method'),
                  url: frm.attr('action'),
                  data: frm.serialize(),
                  success: function (data) {
            //alert(data);
                      if (data) {
                        //alert('data');
                        $('.success-footer').css('display','block');
                      }
                      else{
                        $('.error-footer').css('display','block')
                      }
                  }
              });

              ev.preventDefault();

          });
      </script>

Answer 1

I'm assuming that your are using xampp to send the email. If that's the case, please follow the guidelines under in this discussion How to configure XAMPP to send mail from localhost? to configure your email settings.

here's the sample code

<?php
$Results['id'] = 1;
$message = "Your password reset link send to your e-mail address.";
$to      = 'your_email_id@gmail.com';
$subject = "Forget Password";
$from    = 'info@abc.com';
// $body    = 'Hi, <br/> <br/>Your Membership ID is '.$Results['id'].' <br><br>Click here to reset your password http://google.com/login-signup-in-php/reset.php?encrypt='.$encrypt.'&action=reset .';
$body    = "Hello";
$headers = "From: " . strip_tags($from) . "\r\n";
$headers .= "Reply-To: ". strip_tags($from) . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

mail($to, $subject, $message, $headers);
?>

If you follow correctly the guidelines, try the given code above which basically from your code and removed temporarily some data which fetched from the database just to generate a test if mail is sending data. If successful, then it's the time you put it back to

if (condition) {
  # code...
} else {
  # code...
}

of your code.

Hope this help the problem

Answer 2

Typically passwords are hashed, not encoded. The difference is that a hash cannot be "unhashed" to bring back the original password. In the password saving function of your code, checkif you used the password_hash() function. If you did, you can't get that password back.

That's actually a good thing because password reminders are generally an unsecure way of providing a "Forgot password" function. See Troy Hunt's article on building a secure password reset function (http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html)

A couple of solutions could be:

1) Provide a one-time, time-limited use password that they can use to change their password. Ensure that only one of these are live at any moment.

2) Provide a link to a unique url that would allow the user to be challenged with something, such as a security question, to validate that they are not only the recipient of the email, but actually the person who requested the password change.

The second option would be more secure as it would provide an extra layer of validation at the cost, of course, of convenience to the user.

Answer 3

Update your jquery ajax like this:

$.ajax({
  method: "POST",
  .....
})

because method is default: 'GET'