0

Hi I am trying to write a password reset script. An email with a link is sent to the user, and then if the username and a 32 character string in the link match the info in the database they can change the password for that account. Here is what I've got so far:

   <?php
    session_start();
    error_reporting(E_ALL ^ E_NOTICE);

    if (isset($_GET['x'])) {
        $x = $_GET['x'];
    } else {
        $x = 0;
    }
    if (isset($_GET['y'])) {
        $y = $_GET['y'];
    } else {
        $y = 0;
    }

    if (strlen($y) > 0) {

    echo '<form action="reset.php" method="post">

        <p><input type="password" name="password1" size="30" maxlength="40" />Password</p>

        <p><input type="password" name="password2" size="30" maxlength="40" />Confirm Password</p>

        <p><input type="submit" name="submit" value="Reset" /></p>
    </form>';

    }
    else {

        echo 'Link not valid!';

    }


    if (isset($_POST['password1']) && isset($_POST['password2'])) {
            if ($_POST['password1']=$_POST['password2']) {

    $realp = $_POST['password1'];

        $link = mysql_connect('', '', ''); 
    if (!$link) { 
        die('Could not connect: ' . mysql_error()); 
    } 
    mysql_select_db(); 

    $query = "UPDATE users SET password=$realp WHERE (username='" . $x . "'  AND password='" . $y . "') LIMIT 1";  
        $result = mysql_query($query);

        if (mysql_affected_rows() == 1) {

            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }

            }
    }


    ?>

When I test it it says the password could not be changed...

Thanks for any help
Gilgil

2
Contributors
3
Replies
11
Views
5 Years
Discussion Span
Last Post by iamthwee
0

I've not really looked at it but line 36 looks like you need two equal signs ==

Additionally, it would be a damn good idea to at least encrypt your passwords, one time hashes such as MD5 seem popular ATM.

0

Hi thanks for the reply, I tried == but it still does not work.

Ye the passwords are encrypted I just took that bit out to simplify the reset script until I get it working.

0

Try this:

if (isset($_POST['password1']) && isset($_POST['password2'])) 
    {
       if ($_POST['password1']== $_POST['password2']) 
       {
          $realp = $_POST['password1'];
          echo($realp);
          $link = mysql_connect('localhost', 'root', ''); 

         if (!$link) 
         { 
          die('Could not connect: ' . mysql_error()); 
         } 

        mysql_select_db(''); 

        $query = "UPDATE users SET password='$realp' WHERE (username='$x') LIMIT 1";  
        $result = mysql_query($query);


        if (mysql_affected_rows() == 1) 
        {
            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } 
        else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }
        }
    }
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.