I have simple reset password structure for users to update their existing passwords if lost. The user goes to a link where they enter their email, a token is created and stored in a designated table for the user with the forgotten password. A email is sent to the user with a link that has the token attached, when they hit that link it takes them to a page to reset their password. If the token stored in the db matches the one in the $_GET, I allow them to reset their password. simple.
The problem is I can't update their specific row in the db. I am trying to identify them by checking their email they entered against their email in the db. I am able to update the WHOLE tables password row, but when specify one user it fails.
if(isset($_POST['sub_settings'])){
$query = "SELECT * FROM `Password_Reset` WHERE `token` = '".$token."' AND `email` = '".$user_email."'";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);
$token = $result['token'];
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $_POST['password']);
$user_email = $result['email'];
if($_GET['token'] == $token) {
header("Location: index.php");
exit;
}else{
if(empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = 'Whoops! You must enter a password.';
}
if($_POST['Password'] != $_POST['passwordConfirm'] || empty($_POST['Password'])) {
$valid = false;
$error_msgs[] = "Your password entries didn't match...was there a typo?";
}
if($valid) {
$query = "UPDATE `Users` SET `encrypted_password` = '$hashed_password' WHERE `Email` = '$user_email'";
mysql_query($query,$connection);
}
}
}
Thanks so much in advance
It looks like you've not capitalized $_POST['Password']
$hashed_password = sha1($salt . $_POST['password']);
Based on your other code, it should be:
$hashed_password = sha1($salt . $_POST['Password']);
Also in your SELECT, you have email and in your UPDATE you use Email. MySQL is case-sensitive by default on non-windows platforms.
Why don't you store the user id in the Password_Reset table and then update the user based on there id rather than trying to match there email.
Note that if you are trying to match the users email the email casing must match exactly with an '=' in the query. You could lowercase the email address but this is technically incorrect.
$query = "
SELECT *
FROM `Password_Reset`
WHERE `token` = '".$token."' AND LOWER(`email`) = LOWER('".$user_email."')
";
It looks like you have $user_email in your first query but it's not set yet because you're setting it with the result of the first query. Unless you mean $_POST['user_email']?
It would be MUCH easier and more secure to use a user_id and only send the user a token if they are actually in your system (it appears you're sending everyone a token!)
Your token should be unique. It looks like it's completely random. A good way to make a token is to create a random string + something that uniquely identifies the user (such as their username or email) and then use MD5 or a similar function to hash it. It's reasonably secure and it identifies the user themselves so you can look them up by the token only.
if($_GET['token'] == $token) {
header("Location: index.php");
exit;
Should be != I suppose. You need to check if the token is not equal to the token into db. Isn't it?