Ok, I am stuck. I have the following code to log in. I don't think it is 100% secure, but I am having an issue writing a script that will email a link for a user to reset their password. Any help would be appreciated...

<?php
     session_start();
      if(isset($_GET['reg'])) {
       $reg=$_GET['reg'];
}
      else
          {
           $reg="";
}
     if($reg==1) {
      $msg1="<font color=\"#FF0000\"><b>Your details have been added, please login</b></font>";

}    elseif($reg==2) {
      $msg1="<font color=\"#FF0000\"><b>You have been successfully logged out.</b></font>";
}

     if(isset($_POST['submit'])) {
      if( empty($_POST['uname']) && (empty($_POST['upass']))) {
       header( "Location:core/Messages.php?msg=1" ); 
      exit();
}

//transfer to shorter var

$n=$_POST['uname'];
$p=$_POST['upass'];

//connect to db
  require_once('core/db.php');
   $query="select uname, pw from _admin where uname='$n'  and pw='$p' ";
   $result=mysql_query($query);
	
   $num=mysql_num_rows($result);
    if($num>0 ){
   
//put in session vars
   $_SESSION['status'] = 'logged';
   $_SESSION['username'] = $n;

//goto next page
   header("location:main.php");
    exit;
     } else {
      $_SESSION['status'] = 'not logged';

   header( "Location:core/Messages.php?msg=2" ); 
    exit();
    }
  }
?>

I will just give you a suggestion if it is ok for you go ahead with that...

Add 2 more fields to users table.
1) verificationKey(varchar)
2) verified(Boolean)

If the user clicks on forgot password, ask his email id or username( which ever is primary in the database).

If the user exists in your db, generate a random key and store that random key in his user's record as a verificationKey, and make verified as false.

and append the verificationKey to URL and send that URL to his email id.

Once after clicking that verificationKey containing URL by that user, show him a page to enter a new password, get the password which the user entered and store the new password in his record and make user verified to true.

user verified is necessary, if he hasn't verified we can through him a message to verify.

If it is difficult to do in this way, leave about this solution and search for a new one...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.