new to php here so i apologize if the solution is super simple. I'm working on a password reset page, it will be the page the user lands on after clicking the email with the token. the issue is the form is not sending the value of $token, its just sending the string.
<?php
if(isset($_GET["email"]) && isset($_GET["token"])) {
$connection = new mysqli("localhost", "USER", "PASSWORD", "USERDB");
$email = $connection->real_escape_string($_GET["email"]);
$token = $connection->real_escape_string($_GET["token"]);
$data = $connection->query("SELECT user_id FROM users WHERE user_email='$email' AND user_token='$token'");
if ($data->num_rows > 0) {
echo '<html>
<head>
<meta charset="UTF-8">
<title>Change Password</title>
<link rel="stylesheet" href="../css/style.css" media="screen" type="text/css" />
</head>
<body>
<div class="reset">
<h1>Password reset</h1>
<form action="anotherpage.php" method="POST">
<input type="password" name="pwd" placeholder="Password">
<input type="hidden" name="token" value="$token">
<input type="submit" name="submit" class="submit" value="Update">
</form>
</body>
</html>';
} else {
echo "Please check your link!";
}
} else {
header("Location: ../");
exit();
}
?>
Just an advice... don't echo the htmltags... Is not a good practice... Instead of echo you can do that. And about the token issue will be fixed like this.
<?php
if(isset($_GET["email"]) && isset($_GET["token"])) {
$connection = new mysqli("localhost", "USER", "PASSWORD", "USERDB");
$email = $connection->real_escape_string($_GET["email"]);
$token = $connection->real_escape_string($_GET["token"]);
$data = $connection->query("SELECT user_id FROM users WHERE user_email='$email' AND user_token='$token'");
if ($data->num_rows > 0) {
?>
<html>
<head>
<meta charset="UTF-8">
<title>Change Password</title>
<link rel="stylesheet" href="../css/style.css" media="screen" type="text/css" />
</head>
<body>
<div class="reset">
<h1>Password reset</h1>
<form action="anotherpage.php" method="POST">
<input type="password" name="pwd" placeholder="Password">
<input type="hidden" name="token" value="<?php echo $token;?>">
<input type="submit" name="submit" class="submit" value="Update">
</form>
</body>
</html>
<?php
} else {
echo "Please check your link!";
}
} else {
header("Location: ../");
exit();
}
?>
It's sending the string $token because PHP will not parse variables in single quote ('). You must use double quote (") and then escape the other double quotes (using \) or use single quotes in your echoed code. You could also use
<input type="hidden" name="token" value="'.$token.'">
While the above would work, I recommend you to send the form code without the echo.