PHP Forgot Password script

chrizlord · #1 Aug 24th, 2006, 06:14

Im a newbie in PHP programming can anybody help me, just a simple PHP forgot password script and PHP change password.. any idea

thanks

chrizlord

ukgeoff · #2 Aug 30th, 2006, 20:36

First off you should not be able to see the password because it's just that!

So if the user forgets their password, what you should do is generate them a new temporary login which they then use to set their new password.

A login script needs to process the form information, check the id and the MD5 hashed password against that held in the database and if they match, let the user in.

The change password script is almost identical except that you require the user to enter both the old and the new password. Only if the old password, when given the MD5 treatment, matches that held in the database, do you accept the new password, give it the MD5 treatment and store it in the database.

Lots of info can be found on http://php.net

softorigin · #3 Aug 31st, 2006, 02:37

Text deleted

Tim356 · #4 Aug 31st, 2006, 11:37

So extending on what ukgeoff had to say:

The forgot password script
A form where the user can enter their username and email, when submitted the username and email would be compared to what's in the database, if correct a new password would be set for them and sent to their email address. You could also have a field in the database to mark this password as temporary - so they have to change it as soon as they first login with it.

The change password script
A from with 3 fields - old password, new password and confirm new password. When submitted, the old password (which would be secure hash algorythm (sha 1)encrypted - 160-bit as opposed to md5's 128-bit, so harder to crack), would be compared with the password stored in the database - if passwords match then the 2 new passwords would be compared. If the 2 new passwords match, then the new password would be encrypted (sha 1 again) and stored in the database.

Let me know if you want examples.

chrizlord · #5 Sep 4th, 2006, 00:48

helo

good day thanks for reply guys i rely appreciate it... can u give me some examples for forgot password and change password...

thanks

AdRock · #6 Sep 14th, 2006, 22:10

This is my fogot password script.
The user has to enter their email address and a new password is generated and sent to their email address

PHP: Select all


<?php
session_start();  // Start Session
session_register("session");
// This is displayed if all the fields are not filled in
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
// Convert to simple variables  
$email_address = $_POST['email_address'];
if (!isset($_POST['email_address'])) {
?>
<h2>Recover a forgotten password!</h2>
<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
    <p class="style3"><label for="email_address">Email:</label>
    <input type="text" title="Please enter your email address" name="email_address" size="30"/></p>
    <p class="style3"><label title="Reset Password">&nbsp</label>
    <input type="submit" value="Submit" class="submit-button"/></p>
</form>
<?php
}
elseif (empty($email_address)) {
    echo $empty_fields_message;
}
else {
$email_address=mysql_real_escape_string($email_address);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);
if (!stristr($email_address,"@") OR !stristr($email_address,".")) {
$msg="Your email address is not correct<BR>"; 
$status= "NOTOK";}

echo "<br><br>";
if($status=="OK"){  $query="SELECT email_address,username FROM users WHERE users.email_address = '$email_address'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email_address;// email is stored to a variable
 if ($recs == 0) {  echo "<center><font face='Verdana' size='2' color=red><b>No Password</b><br> Sorry Your address is not there in our database . You can signup and login to use our site. <BR><BR><a href='http://www.jackgodfrey.org.uk/register'>Register</a> </center>"; exit;}
function makeRandomPassword() { 
          $salt = "abchefghjkmnpqrstuvwxyz0123456789"; 
          srand((double)microtime()*1000000);  
          $i = 0; 
          while ($i <= 7) { 
                $num = rand() % 33; 
                $tmp = substr($salt, $num, 1); 
                $pass = $pass . $tmp; 
                $i++; 
          } 
          return $pass; 
    } 
    $random_password = makeRandomPassword(); 
    $db_password = md5($random_password); 
     
    $sql = mysql_query("UPDATE users SET password='$db_password'  
                WHERE email_address='$email_address'"); 
     
    $subject = "Your password at www.yoursite.com"; 
    $message = "Hi, we have reset your password. 
     
    New Password: $random_password 
     
    http://www.yoursite.com/login
    Once logged in you can change your password 
     
    Thanks! 
    Site admin 
     
    This is an automated response, please do not reply!"; 
     
    mail($email_address, $subject, $message, "From: yoursite.com Webmaster<admin@jyoursite.com>\n 
        X-Mailer: PHP/" . phpversion()); 
    echo "Your password has been sent! Please check your email!<br />"; 
    echo "<br><br>Click <a href='http://www.yoursite.com/login'>here</a> to login";
 } 
 else {echo "<center><font face='Verdana' size='2' color=red >$msg <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";}
}
?>

Here is my change password script

PHP: Select all


<?
session_start();
session_register("session");
//if(!isset($session['userid'])){
//echo "<center><font face='Verdana' size='2' color=red>Sorry, Please login and use this page </font></center>";
//exit;
//}
// This is displayed if all the fields are not filled in
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
// Convert to simple variables 
$password1 = $_POST['password1']; 
$password2 = $_POST['password2'];
if (!isset($_POST['password1'])) {
?>
<h2>Change password! <? echo $_SESSION['email_address']; ?></h2>
<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
    <p class="style3"><label for="password1"">New password:</label>
    <input type="password" title="Please enter a password" name="password1" size="30"></p>
    <p class="style3"><label for="password2">Re-enter Password:</label>
    <input type="password" title="Please re-enter password" name="password2" size="30"></p>
    <p style="stext-align:left"><label for="submit">&nbsp</label>
    <input type="submit" value="Change" class="submit-button"/></p>
</form>
<?php
}
elseif (empty($password1) || empty($password2))  {
    echo $empty_fields_message;
}
else {
include 'includes/connection.php'; 
$db_password1=md5(mysql_real_escape_string($password1));
//Setting flags for checking
$status = "OK";
$msg="";
if ( strlen($password1) < 3 or strlen($password1) > 10 ){
$msg=$msg."Password must be more than 3 characters in length and maximum 10 characters in length<BR>";
$status= "NOTOK";}     
if (strcmp( $password1,$password2 ) !=0){
$msg=$msg."Both passwords do not match<BR>";
$status= "NOTOK";}     
if($status<>"OK"){ 
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update users set password='$db_password1' where userid='$session[userid]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>". $password1;
}
}
}
?>

ukgeoff · #7 Sep 15th, 2006, 11:20

I think I tried to make the point before but I'll restate it.

Do not save passwords in an 'as is' format. Always use the crypt() function to create a one-way password. This is what you store.

When a person is required to enter a password, you take the password they have entered and the stored password, feed them into the crypt() function and if the value returned is the same as stored, then the password is valid.

If you want to send a temp password to someone who has forgotten theirs or is registering for the first time, here's the code I use. It generates an 8 character mix of upper and lowercase letters.

Code: Select all

            function genPswd() {
                for ($i=1; $i<=8; $i++) {
                   $goUpper = (rand(0,1) == 1);
                  $char = chr(rand(97, 122));
                  if ($goUpper){
                      $char = strtoupper($char);
                  }
                  $pass .= $char;
               }
               return $pass;
            }

AdRock · #8 Sep 15th, 2006, 11:55

I used md5 to encrypt my passwords so the user can choose their password and it gets encrypted to a 32 character length password which is still valid.

With my forgot password the user is sent new random password which they can change to one they can remember and it get's encrytped using md5

chrizlord · #9 Sep 19th, 2006, 09:20

hello gud day!

thank you adrock and ukgeoff for the reply it realy helps me alot ive an idea already..

have a nice day .. GOD BLESS

dhossai · #10 Apr 25th, 2007, 02:14

Hi adRock,

Thank you first for the scripts. It is the one that I was looking for but only little problem is that after receiving the mail with new password when user log on to the site with the new password, it says that it can not find the user with specified password. Any idea what it might cause. Does it has any thing to do with database field propery? Do I need to make that filed as md5. I tried though but it still did not work. Your response would be much appreciated.
Thanks again.

AdRock · #11 Apr 30th, 2007, 23:20

You need to change thge fields in your database

I will have a look at my database and see what fields are what and let you know.

What fields have you set up in your database so i can compare

dhossai · #12 May 1st, 2007, 00:19

But I think it is the login scripts that causing the trouble. Because it take the entered password from the user and does not convert to MD5 format when check with the database. So if you are so kind enough to post your login script so that I can get a better idea. I am posting my script see if you can find out any problem. But I am pretty sure it is my login scripts. I am giving it here.......

Code: Select all

include "include/session.php";
include "include/z_db.php";
//////////////////////////////

?>
<!doctype html public "-//w3c//dtd html 3.2//en">
<html>
<head>
<title>(Type a title for your page here)</title>
<meta name="GENERATOR" content="Arachnophilia 4.0">
<meta name="FORMATTER" content="Arachnophilia 4.0">
</head>
<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#800080" alink="#ff0000">
<?
$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);
if($rec=mysql_fetch_array(mysql_query("SELECT * FROM tbl_login WHERE userid='$userid' AND password = '$password'"))){
 if(($rec['userid']==$userid)&&($rec['password']==$password)){
  include "include/newsession.php";
            echo "<p class=data> <center>Successfully,Logged in<br><br><a href='logout.php'> Log OUT </a><br><br><a href=welcome.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>";
     print "<script>";
       print " self.location='welcome.php';"; // Comment this line if you don't want to redirect
          print "</script>";
    } 
  } 
 else {
  session_unset();
echo "<font face='Verdana' size='2' color=red>Wrong Login. Use your correct  Userid and Password and Try <br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
  
 }
?>

</body>
</html>

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Forgot password and Change password PHP script	Chono	PHP Forum	4	May 16th, 2008 09:13
Password script needs refining.	liwolfbyte	JavaScript Forum	4	Sep 3rd, 2007 20:05
Best script to create users for password protected pages?	vandiermen	PHP Forum	3	Apr 23rd, 2007 12:22
PHP Forgot password script error	eddie	PHP Forum	4	Mar 4th, 2007 15:43
Looking for EASY password protect script	Lchad	PHP Forum	3	Jan 28th, 2007 00:54

		Webforumz.com > Main Forums > Program Your Website > PHP Forum
PHP Forgot Password script