mysql - Can't get simple (no encryption) php forgot password form to work -


well, have been @ php/mysql authentication system weeks, piecing tutorials , learning go. @ tricky part password forgot.php page. have little experience phpmail, , there seems many few things fundamentally wrong code.

first off, since added code phpmail info, page blank. when working, page go blank after user hit submit. not sure keeping form displaying. also, not sure if going @ correctly in terms of working php password forgot email form.

code on login.php:

<form action="<?=$_server['php_self']?>" method="post"> username: <input type="text" name="username" /><br /> password: <input type="password" name="password" /><br /> remember me: <input type="checkbox" name="remember" /><br />  <input type="submit" name="submit" value="login" /> <a href="forgot.php">forgot password?</a>     <?php session_start(); require_once("functions.php"); require_once("db-const.php"); require("class.phpmailer.php");   $_session['username'] = $username; $_session['password'] = $password;  if (logged_in() == true) { redirect_to("profile.php"); }  ?> <html> <head> <title>forgot username or password?</title> </head> <body>   <h1>forgot username or password?</h1>  <p>please enter email address below.</p> <form action="forgot.php" method="post"> email: <input type="text" name="email" /> <input type="submit" name="submit" value="submit" /> </form> <?php  if (isset($_post['submit'])) { ## connect mysql server $mysqli = new mysqli(db_host, db_user, db_pass, db_name); # check connection if ($mysqli->connect_errno) { echo "<p>mysql error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit();  }   ## query database # fetch data mysql database $sql = "select email users email '{$_post['email']}' limit 1";  if ($result = $mysqli->query($sql)) { $user = $result->fetch_array(); } else { echo "<p>mysql error no {$mysqli->errno} : {$mysqli->error}</p>"; exit();             }    $mail = new phpmailer();  $mail->issmtp();  // telling class use smtp $mail->host     = "smtp.practice.com"; // smtp server  $mail->from     = "support@practice.com";  $mail->subject  = "login information"; $mail->body     = "hello, here login information. user name is: $username ,     password $password;" $mail->wordwrap = 50;   if ($result->num_rows == 1) {  echo "<p>login credentials have been sent <b>{$_post['email']}</b></p>"; } else { echo "<p>sorry, no user found email.</p>"; } } ?> <a href="login.php">login</a> | <a href="register.php">register</a> </body> </html>

sadly there's lot wrong code, others have pointed out.

  • you're creating message before know if user exists.
  • you're vulnerable sql injection.
  • you're not sending message (no call $mail->send();)
  • you're using old version of phpmailer.
  • the message constructing contains username , password user submitted, not username , password got database.
  • i hope you're not keeping password in plain text in db!
  • blank screens ususally mean php errors - call ini_set('display_errors', true);

in general you're reinventing wheel , not gaining in process. if want working auth system (and not coding exercise), suggest take @ php login project.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more