Hey everyone, I'm making a login system (in an attempt to advance my PHP knowledge). I've successfully made a system which registers the user (and uses md5 on their password), and also a login page which queries the database on the login info they supply (with the supplied password also being run through md5 so it matches the database).

My problem is this: What if someone forgets their password? md5 is (from what I've read) irreversible so my only option would be to reset the password right? If so then is this a logical step by step process?

1) Generate a random code and store it to that users record (meaning I'll need another field called deletion_code or something right?)
2) Email them the code
3) They'll go to a deletion confirmation page where they paste the code and their new password, and submit.
4) The password will be md5'd and updated. The deletion_code field of that users record will be blanked.

Any feedback would be much appreciated. I also have one other problem. Currently the unique ID of the members table is ID but should I change that to email? It seems more relevant, or can I have two primary keys?

Also if someone attempts to register an email already in the database, what is the error that comes back and how can I catch it? (for example in file uploads if the file size is too big, the 'error' attribute comes back with a value of 2).

Thanks for any help at all guys,


Anthony

Sounds like you got it right. I had ran into the same problem. I had created the random password and inserted that into the db as their password. Sent them a link including and identifier (reset.php?indent=12345). When the user clicks on this link they will go to the reset page. Here they need to enter their new password that was in the email, enter new password and confirm. This replaced the random password with the password of their choice.
I use and id as the primarykey auto incremented. This way its always unique. I think its easier to reference other tables as well.
Looks like your on the right track...

Missed your email question. I have used this in the past.

$emailcheck = $_POST['email'];
$check = mysql_query("SELECT email FROM users WHERE email = '$emailcheck'")
or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the email exists it gives an error
if ($check2 != 0) {
die('Sorry, the email '.$_POST['email'].' is already in use.');
}

Hope this helps.

Here is another way to create your table...

CREATE TABLE `users` (
  `ID` int(11) NOT NULL auto_increment,
  `Username` varchar(255) NOT NULL default '',
  `Password` varchar(255) NOT NULL default '',
  `date_registered` int(11) NOT NULL default '0',
  `Temp_pass` varchar(55) default NULL,
  `Temp_pass_active` tinyint(1) NOT NULL default '0',
  `Email` varchar(255) NOT NULL default '',
  `Active` int(11) NOT NULL default '0',
  `Level_access` int(11) NOT NULL default '2',
  `Random_key` varchar(32) default NULL,
  PRIMARY KEY  (`ID`),
  UNIQUE KEY `Username` (`Username`),
  UNIQUE KEY `Email` (`Email`)
) ENGINE=MyISAM ;

Hey to the both of you and sorry for my late reply but I am just back for a short holiday.

ProfessorPC: I tried your suggestion about the unique email error handler and it works fine, thanks a lot for that one. Also, thanks for the insight into your own resetting password journey!

Vai: Thank you for your suggestion on how I could create my table. I have used the date_registered idea so that I can judge how long a user has been registered but inactive. Is there any way I could write a script that checks to see the date, and if it's more then seven days, it will automatically purge that registration from the database?

This question has already been answered. Start a new discussion instead.