Mystical Posted April 29, 2011 Share Posted April 29, 2011 Trying to learn but I am an old dude and this stuff spins my head like a freekin owl. Any help would be appreciated and you can exclude the link to php school as I already have it.... I am trying to learn but I gotta say it is slow going. Here is the code. <?php include("config.php"); mysql_connect('localhost',$_CONFIG['username'],$_CONFIG['password']); mysql_select_db($_CONFIG['database']); if($_POST['email']) { $_POST['email'] = htmlentities($_POST['email']); $_POST['username'] = htmlentities($_POST['username']); if($_GET['username']) { $search_users = mysql_query("SELECT * FROM users WHERE login_name='".$_POST['username']."'") or die(mysql_error()); if(mysql_num_rows($search_users) == 0) { echo 'There is no user\'s with that login name.'; exit; } } $search_email = mysql_query ("SELECT * FROM users WHERE email='".$_POST['email']."'") or die(mysql_error()); if(mysql_num_rows($search_email) == 0) { echo 'No user\'s with this email.'; exit; } $password = rand(10000,20000); $fetch_data = mysql_fetch_assoc($search_email); $username = $fetch_data['username']; $body = "Mob Corruption Password Reset\n\nYour password is: ".$password."\nYour login name is: ".$fetch_data['login_name']."\n\nPlease login at http://www.yourdomain.com. Enjoy\n\nYour's sincerly Mob Corruption Staff."; $subject = "Your Forgotten Password"; $email = $fetch_data['email']; $from = "From: Mob Corruption <[email protected]>"; mail($email, $subject, $body, $from); mysql_query("UPDATE users SET userpass='".md5($password)."' WHERE login_name='".$_POST['username']."' AND email='".$_POST['email']."'") or die(mysql_error()); echo '<body style="color: rgb(0, 0, 0); background-color: rgb(153, 153, 153);" alink="#000099" link="#000099" vlink="#990099"> <div style="text-align: center;"><br> <br> <br> <br> <br> <big style="color: rgb(51, 255, 51);"><big><big><big><span style="font-weight: bold;">Success!</span></big></big></big></big><br> <br> <br> <big><big><span style="font-weight: bold;">Your new password has been sent! Please be sure to check your spam box also.</span></big><br style="font-weight: bold;"> <span style="color: rgb(255, 0, 0);font-weight: bold;"><br> <big>Dont forget to change your password on the preferences page after you log in!</big></span><br style="font-weight: bold;"> </big><br> <br> <br> <br> </div> </body> '; exit; } echo '<body style="color: rgb(0, 0, 0); background-color: rgb(153, 153, 153);" alink="#000099" link="#000099" vlink="#990099"> <div style="text-align: center;"><br> <br> <br> <big><big><big><b>So...You Forgot Your Password?</b></big></big></big> <br /> <br /> <img src="images/scratchhead.gif"/><br /><br /> Good thing this pissed off little yellow dude is here!<br /><br /> <big><big><span style="font-weight: bold;">Mob Corruption Password Reset</span></big></big><br><br> (Formerly known as : I forgot my damn password can you send me a new one?)<br> <br> <span style="font-weight: bold;">Enter the e-mail address you signed up with and your login name and we will send you a new one</span><br> <span style="color: rgb(204, 0, 0);font-weight: bold;"><br> Be sure to change your password on the preferences page after you log in!</span><br> <br> <form action="?act=FPass" method="post"><span style="font-weight: bold;"> Email: </span><input name="email" type="text"> <span style="font-weight: bold;">Login Name:</span> <input name="username" type="text"><br> <br> <input value="Submit" type="submit"> </form> </div> </body> '; ?> Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted April 29, 2011 Share Posted April 29, 2011 change $_POST['email'] = htmlentities($_POST['email']); $_POST['username'] = htmlentities($_POST['username']); to... $email= mysql_real_escape_string(htmlentities($_POST['email'])); $username = mysql_real_escape_string(htmlentities($_POST['username'])); then change all the $_POST and $_GET with the $var like... if($email){ $search_users = mysql_query("SELECT userid FROM users WHERE login_name='$username'") or die(mysql_error()); Only select fields you need, don't select the whole user table. Quote Link to comment Share on other sites More sharing options...
Danny696 Posted April 29, 2011 Share Posted April 29, 2011 then change all the $_POST and $_GET with the $var like... What exacally will that do?????? :S Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted April 29, 2011 Share Posted April 29, 2011 lol well I was never using $var= it was suggested by rulerofzu... I guess it just makes the string shorter instead of typing $_GET lol. Quote Link to comment Share on other sites More sharing options...
Galahad Posted April 29, 2011 Share Posted April 29, 2011 If your going to have a password reset form, you will need a confirmation email as anyone will be able to change your password. You need to have a email saying something like "Please click HERE to reset your password. If you did not send out a password reset form, please ignore this email" Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted April 29, 2011 Share Posted April 29, 2011 lol well I was never using $var= it was suggested by rulerofzu... I guess it just makes the string shorter instead of typing $_GET lol. No you misunderstood the point in your code you was securing your $_POST or $_GET (cannot remember which) and then securing it again all throughout your queries. So using $var= means you have checked it and therefore do not need to again and again and again. My personal preference is to never directly use $_POST or $_GET in a query. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.