#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13

    PHP Email Problem


    Hi

    I have created a php forgotten password page but when I receive the forgotten password email, I only get the email address in the email and not the username and password, its not collecting the username and password data for some reason

    The php coding is below in the forgottenpassword.php

    PHP Code:
    <?php if($go == "1") { $connect mysql_connect("host","username","password"); if (!$connect) { die("MySQL could not connect!"); } $DB mysql_select_db('databasename'); if(!$DB) { die("My SQL could not select Database!"); } } $Username $_POST['username']; $Email $_POST['email']; $Email1 "@"$Email_Check strpos($Email,$Email1); $Password $_POST['password']; $message_field $_POST['username, password']; $message "$Email$Username$Password$message_field"?> <?php //These are the variables for the email $sendto = $_POST['email']; // this is the email address collected from the form $ccto = "ianhaney@irhwebsites.co.uk"; //you can cc it to yourself $subject = "Your Registration Details"; // Subject $message = "Email Address: " . $Email . "\n\n" . "Username: " . $Username . "\n\n" . "Password: " . $Password . "\n\n" . "$message_field"; $header = "From: ianhaney@irhwebsites.co.uk\r\n"; $header .= "Reply-to: ianhaney@irhwebsites.co.uk\r\n"; // This is the function to send the email mail($sendto, $subject, $message, $header, $message_field); echo "Your password has been sent to ". $Email ."."; ?>
    Below is what the email comes out like

    Email Address: ianhaney@irhwebsites.co.uk

    Username:

    Password:

    my html form is below

    Code:
    <form action="forgotpassword.php" method="post"> E-mail: <input type="text" name="email" size="24" border="0"> <br> <input type="hidden" name="username" border="0"> <input type="hidden" name="password" border="0"> <input type="hidden" name="go" value="1" border="0"> <input type="submit" name="submitButtonName" value="Submit" border="0"> </form>
    Please help, been stuck on this for a while now

    Kind regards

    Ian
  2. #2
  3. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,547
    Rep Power
    2337
    If you can -- and do -- actually send the user's password to the user, you're doing it wrong!!! You should never store the user's password in cleartext in the database; it should be salted and hashed.
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    102
    Rep Power
    10
    Hi Ian,

    You're not getting any password or username data, as you're trying to recover it from the form without actually specifying a value in the form.

    For security reasons, password recovery forms should create a new password and send it to the user. The reason for this is that passwords should be encrypted in the database, and not readable. All the password recovery form should do is send your PHP page the email address or username (whatever the user uses to log in to the site). You should then generate a random password and new salts, store the new password and salts in the database and send the new password to the user.

    You also have absolutely no security surrounding the POST information. Look up the mysql_escape_string PHP function. At the moment, someone with bad intentions could use this script to spam people using your website.

    You should follow these rough steps:
    1) Get email address/user name from the form.
    2) Query your database using the email address/username to make sure the user is valid. You could also get the user's ID number to make the following queries a bit easier.
    3) Generate a new random password and new salts
    4) Encrypt the new password with the salts value and store the encrypted password and the unencrypted salts value in the database against the user.
    5) Email the user the new (unencrypted) password.

    Try reading this:
    http://www.richardlord.net/blog/php-password-security
    and this:
    http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,846
    Rep Power
    6351
    For security reasons, password recovery forms should create a new password and send it to the user. The reason for this is that passwords should be encrypted in the database, and not readable. All the password recovery form should do is send your PHP page the email address or username (whatever the user uses to log in to the site). You should then generate a random password and new salts, store the new password and salts in the database and send the new password to the user.
    Better yet, generate a one-time key which allows the user to change their password on the site. Many users won't change their password unless forced to, even if it's sitting in their inbox in plaintext.

    Comments on this post

    • ptr2void agrees
    • makzan agrees
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo