Mystical Posted April 29, 2011 Posted April 29, 2011 Trying to learn but I am an old dude and this stuff spins my head like a freekin owl. Any help would be appreciated and you can exclude the link to php school as I already have it.... I am trying to learn but I gotta say it is slow going. Here is the code. <?php include("config.php"); mysql_connect('localhost',$_CONFIG['username'],$_CONFIG['password']); mysql_select_db($_CONFIG['database']); if($_POST['email']) { $_POST['email'] = htmlentities($_POST['email']); $_POST['username'] = htmlentities($_POST['username']); if($_GET['username']) { $search_users = mysql_query("SELECT * FROM users WHERE login_name='".$_POST['username']."'") or die(mysql_error()); if(mysql_num_rows($search_users) == 0) { echo 'There is no user\'s with that login name.'; exit; } } $search_email = mysql_query ("SELECT * FROM users WHERE email='".$_POST['email']."'") or die(mysql_error()); if(mysql_num_rows($search_email) == 0) { echo 'No user\'s with this email.'; exit; } $password = rand(10000,20000); $fetch_data = mysql_fetch_assoc($search_email); $username = $fetch_data['username']; $body = "Mob Corruption Password Reset\n\nYour password is: ".$password."\nYour login name is: ".$fetch_data['login_name']."\n\nPlease login at http://www.yourdomain.com. Enjoy\n\nYour's sincerly Mob Corruption Staff."; $subject = "Your Forgotten Password"; $email = $fetch_data['email']; $from = "From: Mob Corruption <[email protected]>"; mail($email, $subject, $body, $from); mysql_query("UPDATE users SET userpass='".md5($password)."' WHERE login_name='".$_POST['username']."' AND email='".$_POST['email']."'") or die(mysql_error()); echo '<body style="color: rgb(0, 0, 0); background-color: rgb(153, 153, 153);" alink="#000099" link="#000099" vlink="#990099"> <div style="text-align: center;"><br> <br> <br> <br> <br> <big style="color: rgb(51, 255, 51);"><big><big><big><span style="font-weight: bold;">Success!</span></big></big></big></big><br> <br> <br> <big><big><span style="font-weight: bold;">Your new password has been sent! Please be sure to check your spam box also.</span></big><br style="font-weight: bold;"> <span style="color: rgb(255, 0, 0);font-weight: bold;"><br> <big>Dont forget to change your password on the preferences page after you log in!</big></span><br style="font-weight: bold;"> </big><br> <br> <br> <br> </div> </body> '; exit; } echo '<body style="color: rgb(0, 0, 0); background-color: rgb(153, 153, 153);" alink="#000099" link="#000099" vlink="#990099"> <div style="text-align: center;"><br> <br> <br> <big><big><big><b>So...You Forgot Your Password?</b></big></big></big> <br /> <br /> <img src="images/scratchhead.gif"/><br /><br /> Good thing this pissed off little yellow dude is here!<br /><br /> <big><big><span style="font-weight: bold;">Mob Corruption Password Reset</span></big></big><br><br> (Formerly known as : I forgot my damn password can you send me a new one?)<br> <br> <span style="font-weight: bold;">Enter the e-mail address you signed up with and your login name and we will send you a new one</span><br> <span style="color: rgb(204, 0, 0);font-weight: bold;"><br> Be sure to change your password on the preferences page after you log in!</span><br> <br> <form action="?act=FPass" method="post"><span style="font-weight: bold;"> Email: </span><input name="email" type="text"> <span style="font-weight: bold;">Login Name:</span> <input name="username" type="text"><br> <br> <input value="Submit" type="submit"> </form> </div> </body> '; ?> Quote
lucky3809 Posted April 29, 2011 Posted April 29, 2011 change $_POST['email'] = htmlentities($_POST['email']); $_POST['username'] = htmlentities($_POST['username']); to... $email= mysql_real_escape_string(htmlentities($_POST['email'])); $username = mysql_real_escape_string(htmlentities($_POST['username'])); then change all the $_POST and $_GET with the $var like... if($email){ $search_users = mysql_query("SELECT userid FROM users WHERE login_name='$username'") or die(mysql_error()); Only select fields you need, don't select the whole user table. Quote
Danny696 Posted April 29, 2011 Posted April 29, 2011 then change all the $_POST and $_GET with the $var like... What exacally will that do?????? :S Quote
lucky3809 Posted April 29, 2011 Posted April 29, 2011 lol well I was never using $var= it was suggested by rulerofzu... I guess it just makes the string shorter instead of typing $_GET lol. Quote
Galahad Posted April 29, 2011 Posted April 29, 2011 If your going to have a password reset form, you will need a confirmation email as anyone will be able to change your password. You need to have a email saying something like "Please click HERE to reset your password. If you did not send out a password reset form, please ignore this email" Quote
rulerofzu Posted April 29, 2011 Posted April 29, 2011 lol well I was never using $var= it was suggested by rulerofzu... I guess it just makes the string shorter instead of typing $_GET lol. No you misunderstood the point in your code you was securing your $_POST or $_GET (cannot remember which) and then securing it again all throughout your queries. So using $var= means you have checked it and therefore do not need to again and again and again. My personal preference is to never directly use $_POST or $_GET in a query. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.