Discuss PHP Email Problem in the PHP Development forum on Dev Shed. PHP Email Problem PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
Posts: 91
Time spent in forums: 15 h 23 sec
Reputation Power: 11
PHP-General - PHP Email Problem
Hi
I have created a php forgotten password page but when I receive the forgotten password email, I only get the email address in the email and not the username and password, its not collecting the username and password data for some reason
The php coding is below in the forgottenpassword.php
PHP Code:
<?php if($go == "1") { $connect = mysql_connect("host","username","password"); if (!$connect) { die("MySQL could not connect!"); } $DB = mysql_select_db('databasename'); if(!$DB) { die("My SQL could not select Database!"); } } $Username = $_POST['username']; $Email = $_POST['email']; $Email1 = "@"; $Email_Check = strpos($Email,$Email1); $Password = $_POST['password']; $message_field = $_POST['username, password']; $message = "$Email, $Username, $Password, $message_field"; ?><?php //These are the variables for the email $sendto = $_POST['email']; // this is the email address collected from the form $ccto = "ianhaney@irhwebsites.co.uk"; //you can cc it to yourself $subject = "Your Registration Details"; // Subject $message = "Email Address: " . $Email . "\n\n" . "Username: " . $Username . "\n\n" . "Password: " . $Password . "\n\n" . "$message_field"; $header = "From: ianhaney@irhwebsites.co.uk\r\n"; $header .= "Reply-to: ianhaney@irhwebsites.co.uk\r\n"; // This is the function to send the email mail($sendto, $subject, $message, $header, $message_field); echo "Your password has been sent to ". $Email ."."; ?>
Posts: 2,476
Time spent in forums: 1 Month 2 Weeks 2 Days 4 h 17 m 41 sec
Reputation Power: 2194
If you can -- and do -- actually send the user's password to the user, you're doing it wrong!!! You should never store the user's password in cleartext in the database; it should be salted and hashed.
__________________
I ♥ ManiacDan & requinix
This is a sig, and not necessarily a comment on the OP: Please don't be a help vampire!
Posts: 102
Time spent in forums: 1 Day 4 h 51 m 48 sec
Reputation Power: 9
Hi Ian,
You're not getting any password or username data, as you're trying to recover it from the form without actually specifying a value in the form.
For security reasons, password recovery forms should create a new password and send it to the user. The reason for this is that passwords should be encrypted in the database, and not readable. All the password recovery form should do is send your PHP page the email address or username (whatever the user uses to log in to the site). You should then generate a random password and new salts, store the new password and salts in the database and send the new password to the user.
You also have absolutely no security surrounding the POST information. Look up the mysql_escape_string PHP function. At the moment, someone with bad intentions could use this script to spam people using your website.
You should follow these rough steps:
1) Get email address/user name from the form.
2) Query your database using the email address/username to make sure the user is valid. You could also get the user's ID number to make the following queries a bit easier.
3) Generate a new random password and new salts
4) Encrypt the new password with the salts value and store the encrypted password and the unencrypted salts value in the database against the user.
5) Email the user the new (unencrypted) password.
Try reading this:
http://www.richardlord.net/blog/php-password-security
and this:
http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/
Posts: 9,791
Time spent in forums: 2 Months 3 Weeks 14 h 53 m 20 sec
Reputation Power: 6112
Quote:
For security reasons, password recovery forms should create a new password and send it to the user. The reason for this is that passwords should be encrypted in the database, and not readable. All the password recovery form should do is send your PHP page the email address or username (whatever the user uses to log in to the site). You should then generate a random password and new salts, store the new password and salts in the database and send the new password to the user.
Better yet, generate a one-time key which allows the user to change their password on the site. Many users won't change their password unless forced to, even if it's sitting in their inbox in plaintext.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin
"The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
