Forgot Password Script PHP mysqli database

后端 未结 3 1435
耶瑟儿~
耶瑟儿~ 2021-02-11 11:35

Hi I am trying to make forgot password script and successfully completed but I am getting one problem. In forgot.php When user enter email, script checks the email

相关标签:
3条回答
  • 2021-02-11 12:04
    <?php
    if(isset($_GET['code'])) $acode = $_GET['code'];
    else die("No code!");
    
    $con=mysqli_connect("xxx","xxx","xxx","xxx");
    // Check connection
    if (mysqli_connect_errno()) {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
    } else {
        $acode = mysqli_real_escape_string($con, $acode);
        $query = mysqli_query($con,"select * from login where activation_code='$acode'")
        or die(mysqli_error($con)); 
        if(mysqli_num_rows($query) == 0) {
            echo "Wrong code";
            die();
        } elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
            $pass = mysqli_real_escape_string($con, $_POST['pass']);
            $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
            or die(mysqli_error($con)); 
    
            echo 'Password Changed';
        }
    }
    
    ?>
    
        enter code here
        <form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
        <p>New Password:</p><input type="password" name="pass" />
        <input type="submit"  name="submit" value="Signup!" />
        </form>
    
    0 讨论(0)
  • 2021-02-11 12:06

    I got a bug in resetpass.php

    You'l first have to use $_GET['code'] to get your activation code and store in a hidden field of

    here is modified code, that should work.

    <?php
    
    if(isset($_POST['pass'])){
    $pass = $_POST['pass'];
    $acode=$_POST['code'];
    
    $con=mysqli_connect("xxx","xxx","xxx","xxx");
    // Check connection
    if (mysqli_connect_errno())
    {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }
    $query = mysqli_query($con,"select * from login where activation_code='$acode'")
    or die(mysqli_error($con)); 
    
    if (mysqli_num_rows ($query)==1) 
    {
    $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
    or die(mysqli_error($con)); 
    
    echo 'Password Changed';
    }
    else
    {
    echo 'Wrong CODE';
    }
    }
    ?>
    
    <form action="resetpass.php" method="POST">
    <p>New Password:</p><input type="password" name="pass" />
    <input type="submit"  name="submit" value="Signup!" />
    <input type="hidden" name="code" value="<?php echo $_GET['code'];?>" />
    </form>
    
    0 讨论(0)
  • 2021-02-11 12:15

    You need to change the action from resetpass.php to resetpass.php?code=<?php echo $_GET['code'];?>

    Otherwise the code gets lost when you submit the form.

    For example: (Not bugfree!)

    <?php
    if(isset($_GET['code'])) $acode = $_GET['code'];
    else die("No code!");
    
    $con=mysqli_connect("xxx","xxx","xxx","xxx");
    // Check connection
    if (mysqli_connect_errno()) {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
    } else {
        $acode = mysqli_real_escape_string($con, $acode);
        $query = mysqli_query($con,"select * from login where activation_code='$acode'")
        or die(mysqli_error($con)); 
        if(mysqli_num_rows($query) == 0) {
            echo "Wrong code";
            die();
        } elseif (mysqli_num_rows ($query)==1 && isset($_POST['pass'])) {
            $pass = mysqli_real_escape_string($con, $_POST['pass']);
            $query3 = mysqli_query($con,"update login set Password='$pass' where activation_code='$acode'")
            or die(mysqli_error($con)); 
    
            echo 'Password Changed';
        }
    }
    
    ?>
    
        <form action="resetpass.php?code=<?php echo $_GET['code'];?>" method="POST">
        <p>New Password:</p><input type="password" name="pass" />
        <input type="submit"  name="submit" value="Signup!" />
        </form>
    

    But think about some things:

    • Your Code is very unsecure, better try uniqid(rand());
    • With this Code it is possible that two entries got the same code
    • Somebody could try all code poosibilities
    0 讨论(0)
提交回复
热议问题