Hi I am trying to write a password reset script. An email with a link is sent to the user, and then if the username and a 32 character string in the link match the info in the database they can change the password for that account. Here is what I've got so far:

   <?php
    session_start();
    error_reporting(E_ALL ^ E_NOTICE);

    if (isset($_GET['x'])) {
        $x = $_GET['x'];
    } else {
        $x = 0;
    }
    if (isset($_GET['y'])) {
        $y = $_GET['y'];
    } else {
        $y = 0;
    }

    if (strlen($y) > 0) {

    echo '<form action="reset.php" method="post">

        <p><input type="password" name="password1" size="30" maxlength="40" />Password</p>

        <p><input type="password" name="password2" size="30" maxlength="40" />Confirm Password</p>

        <p><input type="submit" name="submit" value="Reset" /></p>
    </form>';

    }
    else {

        echo 'Link not valid!';

    }


    if (isset($_POST['password1']) && isset($_POST['password2'])) {
            if ($_POST['password1']=$_POST['password2']) {

    $realp = $_POST['password1'];

        $link = mysql_connect('', '', ''); 
    if (!$link) { 
        die('Could not connect: ' . mysql_error()); 
    } 
    mysql_select_db(); 

    $query = "UPDATE users SET password=$realp WHERE (username='" . $x . "'  AND password='" . $y . "') LIMIT 1";  
        $result = mysql_query($query);

        if (mysql_affected_rows() == 1) {

            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }

            }
    }


    ?>

When I test it it says the password could not be changed...

Thanks for any help
Gilgil

I've not really looked at it but line 36 looks like you need two equal signs ==

Additionally, it would be a damn good idea to at least encrypt your passwords, one time hashes such as MD5 seem popular ATM.

Hi thanks for the reply, I tried == but it still does not work.

Ye the passwords are encrypted I just took that bit out to simplify the reset script until I get it working.

Try this:

if (isset($_POST['password1']) && isset($_POST['password2'])) 
    {
       if ($_POST['password1']== $_POST['password2']) 
       {
          $realp = $_POST['password1'];
          echo($realp);
          $link = mysql_connect('localhost', 'root', ''); 

         if (!$link) 
         { 
          die('Could not connect: ' . mysql_error()); 
         } 

        mysql_select_db(''); 

        $query = "UPDATE users SET password='$realp' WHERE (username='$x') LIMIT 1";  
        $result = mysql_query($query);


        if (mysql_affected_rows() == 1) 
        {
            echo 'Your password has been changed. You may now <a href=\"http://example.com/login.php\">log in</a>.';
        } 
        else {
            echo 'Your password could not be changed. Please re-check the link or contact the system administrator.';
        }
        }
    }