0

Ok, I am stuck. I have the following code to log in. I don't think it is 100% secure, but I am having an issue writing a script that will email a link for a user to reset their password. Any help would be appreciated...

<?php
     session_start();
      if(isset($_GET['reg'])) {
       $reg=$_GET['reg'];
}
      else
          {
           $reg="";
}
     if($reg==1) {
      $msg1="<font color=\"#FF0000\"><b>Your details have been added, please login</b></font>";

}    elseif($reg==2) {
      $msg1="<font color=\"#FF0000\"><b>You have been successfully logged out.</b></font>";
}

     if(isset($_POST['submit'])) {
      if( empty($_POST['uname']) && (empty($_POST['upass']))) {
       header( "Location:core/Messages.php?msg=1" ); 
      exit();
}

//transfer to shorter var

$n=$_POST['uname'];
$p=$_POST['upass'];

//connect to db
  require_once('core/db.php');
   $query="select uname, pw from _admin where uname='$n'  and pw='$p' ";
   $result=mysql_query($query);
	
   $num=mysql_num_rows($result);
    if($num>0 ){
   
//put in session vars
   $_SESSION['status'] = 'logged';
   $_SESSION['username'] = $n;

//goto next page
   header("location:main.php");
    exit;
     } else {
      $_SESSION['status'] = 'not logged';

   header( "Location:core/Messages.php?msg=2" ); 
    exit();
    }
  }
?>
2
Contributors
1
Reply
2
Views
7 Years
Discussion Span
Last Post by saiprem
0

I will just give you a suggestion if it is ok for you go ahead with that...

Add 2 more fields to users table.
1) verificationKey(varchar)
2) verified(Boolean)

If the user clicks on forgot password, ask his email id or username( which ever is primary in the database).

If the user exists in your db, generate a random key and store that random key in his user's record as a verificationKey, and make verified as false.

and append the verificationKey to URL and send that URL to his email id.

Once after clicking that verificationKey containing URL by that user, show him a page to enter a new password, get the password which the user entered and store the new password in his record and make user verified to true.

user verified is necessary, if he hasn't verified we can through him a message to verify.

If it is difficult to do in this way, leave about this solution and search for a new one...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.