Forgot Pass Confirmation function...

Hello.
I just wrote a simple code about Forgot Pass problem...
http://evolt.org/PHP-Login-System-with-Admin-Features?from=1150&comments_per_page=50

I ll copy all my code Here.....

CHANGE PASSWORD CONFIRMATION

1)constans.php

Code:

define("TBL_USERS_FORGOT", "users_forgot");

2)process.php

change to......

Code:

function procLogin(){
      global $session, $form;
      /* Login attempt */
      $retval = $session->login($_POST['user'], $_POST['pass'], isset($_POST['remember']));
     
      /* Login successful */
      if($retval){
     //#### DELETE USER FROM users_forgot IF IS THERE ......
     $qdelfromusers_forg="DELETE FROM users_forgot WHERE username='$session->username' ";                                //////ADDED 3 lines to delete the user from users_forgot
     $resultdelfromusers_forg = mysql_query($qdelfromusers_forg) or die("Error in qdelfromusers_forg: ".mysql_error());      //////and to uset SESSION['passinprogress']
    
     unset ($_SESSION['passinprogress']);
        header("Location: ".$session->referrer);
      }
      /* Login failed */
      else{
        $_SESSION['value_array'] = $_POST;
        $_SESSION['error_array'] = $form->getErrorArray();
        header("Location: ".$session->referrer);
      }
  }


and......

Code:

 * procForgotPass - Validates the given username then if
    * everything is fine, a new password is generated and
    * emailed to the address the user gave on sign up.
    */
  function procForgotPass(){
      global $database, $session, $mailer, $form;
      /* Username error checking */
      $subuser = $_POST['user'];
      $field = "user";  //Use field name for username
      if(!$subuser || strlen($subuser = trim($subuser)) == 0){
        $form->setError($field, "* Username not entered<br>");
      }
      else{
        /* Make sure username is in database */
        $subuser = stripslashes($subuser);
        if(strlen($subuser) < 5 || strlen($subuser) > 30 ||
            !eregi("^([0-9a-z])+$", $subuser) ||
            (!$database->usernameTaken($subuser))){
            $form->setError($field, "* Username does not exist<br>");
        }
      }
     
      /* Errors exist, have user correct them */
      if($form->num_errors > 0){
        $_SESSION['value_array'] = $_POST;
        $_SESSION['error_array'] = $form->getErrorArray();
      }
      /* Generate new password and email it to user */### Insert To users_forgot the RANDOM KEY AN mail user asking for confirmation
      else
     {
           //### GENERATE RANDOM FORGOT_PASS CODE
          function randomkeys($length)
                 {
                 $pattern = "1234567890abcdefghijklmnopqrstuvwxyz";
                 for($i=0;$i<$length;$i++)
                 {
                   $key .= $pattern{rand(0,35)};
                 }
                 return $key;
                 }               
               $randcon_forgot = randomkeys(15);
                                
           /* Generate new password */
             //  $newpass = $session->generateRandStr(8);
       
        /* Get email of user */
        $usrinf = $database->getUserInfo($subuser);
        $email  = $usrinf['email'];
           //### Check IF User already is in users_forgot
         $query_isforgoten = "SELECT * FROM ".TBL_USERS_FORGOT." WHERE username='$subuser'";
         $result_isforgoten = mysql_query($query_isforgoten) or die("Error in $query_isforgoten: ".mysql_error());
         $nr_isforgoten = @mysql_num_rows( $result_isforgoten );
       
       if($nr_isforgoten>0) //// User is in users_forgot table
       {
          $_SESSION['passinprogress'] = true;
       }
       else /////User is not in users_forgot table
       {
      
          //### Attempt to send the email with RANDCON_FORGOT
          if($mailer->sendconfirmforgot($subuser,$email,$randcon_forgot))
          {
            /* Email sent, update database */
            
            //### Insert to users_forgot e-mail and $randcon_forgot
            mysql_query("INSERT INTO ".TBL_USERS_FORGOT." VALUES ('$subuser' ,'$email', '$randcon_forgot' , now() )")or die (mysql_error());
            //echo"query = $q<br>";
   
            //$database->updateUserField($subuser, "password", md5($newpass));
            $_SESSION['forgotpass'] = true;
          }
          /* Email failure, do not change password */
          else
          {
            $_SESSION['forgotpass'] = false;
          }
        }
      }
     
      header("Location: ".$session->referrer);
  }

3) in mailer.php add ...

Code:

//###### SEND CONFIRMATION MAIT TO FORGOT PASS
  function sendconfirmforgot($user,$email,$randcon_forgot){
      $from = "From: ".EMAIL_FROM_NAME." <".EMAIL_FROM_ADDR.">";
      $subject = "Blablabla - Password Change Confirmation";
      $body = $user.",\n\n"
            ."PLEASE Confirm that you REALY WANT to change your pass "
            ."by Clicking the link  "
            ."http://www.blablabla.com/index.php?p=loghead&l=confirmreg&randomforgot=".$randcon_forgot." \n\n"
            ."blablabla.com";
           
      return mail($email,$subject,$body,$from);
  }

4)in confirmreg.php this is the new page that you have to create....

Code:

$randomforgot=$_GET['randomforgot'];

$query = "SELECT * FROM `users_forgot` WHERE `random_forgot` = '$randomforgot'";
            $result = mysql_query($query);
            $row = mysql_fetch_array($result);
            $user_forgot=$row['username'];
            
            
            if (mysql_num_rows($result)==0)
            echo " <h1>Change Password Confirmation </h1>
                  <p><h1>Failed OR Expired !!!</h1></p>
                 <p>Try to ender again your confirmation link.<p>";
                
            else
            {
              //// Find users INFOS
                      
             /* Generate new password */
             $newpass = $session->generateRandStr(8);
               
             /* Get email of user */
             $usrinf = $database->getUserInfo($user_forgot);
             $email  = $usrinf['email'];
            
             /* Attempt to send the email with new password */
             if($mailer->sendNewPass($user_forgot,$email,$newpass)){
               /* Email sent, update database */
               $database->updateUserField($user_forgot, "password", md5($newpass));
               //### DELETE From user_forgot the USER
               $del_forg_user="DELETE FROM `users_forgot` WHERE username='$user_forgot' "; 
               $result_del_forg_user = mysql_query($del_forg_user);
                                             
               unset ($_SESSION['forgotpass']);
               unset ($_SESSION['passinprogress']);
               
               echo "<p><h1>Change Password Confirmation Completed !!!</h1></p>
                     <p>A new Password is sended to your given e-mail addreass</p>
                     <p>You can Change your new Password to something easier to remeber</p>
                     <p>by clicking User Edit after you LOG-IN</p>";
             }
             /* Email failure, do not change password */
             else{
               $_SESSION['forgotpass'] = false;
             }
            
                        
            }


5) in forgotpass.php ....just add thisbefore...

Code:

if (isset($_SESSION['passinprogress']))////Change Pass in Progress
{
   if ($_SESSION['passinprogress'])
   {
      echo "<h1>Waiting for Confirmation !!!</h1>
         <p>Check in your given e-mail for a Confirmation LINK </p>";
   }
}
/**
 * Forgot Password form has been submitted and no errors
 * were found with the form (the username is in the database)
 */
else if(isset($_SESSION['forgotpass'])){  ////////The code as it is.................

PLS HELP ME TO MAKE IT PERFECT.....

Really nice addons, I will test it and implemented in my dev site and wich I will be able to give you some feedback about to make it perfect...

Can you include the 'users_forgot.sql' files to add the table into the database.

Hi..Fred-Eric...
Did you tested my code???
What you think???

NTGre wrote:Hi..Fred-Eric...
Did you tested my code???
What you think???

Cannot test it I miss some info in the "users_forgot" table

How many field into this table, and what are they?



Column count doesn't match value count at row 1

Also received the confirmation

xxxxxxx,

PLEASE Confirm that you REALY WANT to change your pass by Clicking the link http://www.blablabla.com/index.php?p=loghead&l=confirmreg&randomforgot=wzydwdgxngnihoo

blablabla.com

But you didn't include the change that must be done in the index files (main.php) to keep it original...

Hi NTGre,

can you include the sql file, i need try this modifications!

Thanks

Hi all,

I am having some issues with the forgot my password function: it doesn't work...
At first I thought: oh it's just my settings on the server, but it isn't, since registration is no issue...

Can anyone please help?

Also the above solution might help, but what is the format of the table?

Cheers.

s.w.vanderlaan wrote:Hi all,

I am having some issues with the forgot my password function: it doesn't work...
At first I thought: oh it's just my settings on the server, but it isn't, since registration is no issue...

Can anyone please help?

Also the above solution might help, but what is the format of the table?

Cheers.

If you can post your database and session codes here and maybe I can help.

Hey Bman900,

Here you. As you can see, I changed a couple of things, but I don;t think I changed the Forgot My Password function... Would be great if you could help.
But...
both files are very big (too big for these pages)... So which parts would you like to see?

Cheers,

Sander

Seeing the whole thing can help, just email it to me, balint2005_at_gmail_dot_com

I take this mod will ask for confirmation on whether the user wants to change their password? I realised that anyone can type in a username and thats it changed there password without their concent.

Has anyone got it to work? I cant be bothered to test it just now, iv been coding for weeks now and my heads abit numb.

I will test it and implemented in my dev site and wich I will be able to give you some feedback about to make it perfect.
Company Formation
Company Registration