0

I am building a password reset form for my hobby site, the form itself is working beautifully. I use dreamweaver CS5, I have only posted the RELEVANT code to my question. The question has nothing to do with security.

If the password reset fails, for any reason, I want to redirect the user to a specific page. I am not sure where or how to do that in the statement the way dreamweaver generated it.

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
    $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1_reset")) {

    $password_md5 = md5($_POST['password']);

    $updateSQL = sprintf("UPDATE users SET password=%s WHERE username=%s AND email=%s AND security=%s",
                        GetSQLValueString($password_md5, "text"),
                        GetSQLValueString($_POST['username'], "text"),
                        GetSQLValueString($_POST['email'], "text"),
                        GetSQLValueString($_POST['security'], "text")
            );

    mysql_select_db($database_login_form, $login_form);
    $Result1 = mysql_query($updateSQL, $login_form) or die(mysql_error());

    $updateGoTo = "login.php";
    if (isset($_SERVER['QUERY_STRING'])) {
        $updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
        $updateGoTo .= $_SERVER['QUERY_STRING'];
    }
    header(sprintf("Location: %s", $updateGoTo));
}

$totalRows_resetpass = mysql_num_rows($resetpass);mysql_select_db($database_login_form, $login_form);
$query_resetpass = "SELECT * FROM users";
$resetpass = mysql_query($query_resetpass, $login_form) or die(mysql_error());
$row_resetpass = mysql_fetch_assoc($resetpass);
$totalRows_resetpass = mysql_num_rows($resetpass);

?>
chris85
  • 23,846
  • 7
  • 34
  • 51
Cyndi
  • 95
  • 1
  • 11
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Feb 18 '17 at 23:57
  • Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Feb 18 '17 at 23:58
  • Stop what you are doing, NOW. You are using a deprecated, unmaintained, and insecure database API. PDO and mysqli have been available for more than a decade. See http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – miken32 Feb 18 '17 at 23:59
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Feb 19 '17 at 00:01

0 Answers0