TECH6.0

webwizzy · #1 11-04-2009, 09:46 PM

Part I - User Registration System Setup
Part II - Account Confirmation or Email Authentication

Part III - Forgot Password

Alright, so after finishing with the previous two tutorials, you might be interested in providing your users with a password reset feature, in case they forgot their password and are unable to login. We are going to deal with this now. You'll find it really easy if you understood the previous tuts. You should have the same database structure as described in Part I. Go through the code carefully.

1. First, we'll create a form where user will enter his registered email address which will be verified and a link to reset his password would be sent.

forgot.php

This is the HTML part that goes in forgot.php to setup our form. Optionally you can also validate the input field just like we did in Part I.

HTML Code:

<form name="forgotform" method="post" action="forgotprocess.php">
        <p>
          <input name="email" type="text" id="email" size="35">
        </p>
        <p>
          <input type="submit" name="Submit" value="Send Password" onClick="alert('Email would be validated and instructions would be sent. Do not forget to check your BULK folder and mark it as NO SPAM.')">
          <input name="ip" type="hidden" id="ip" value="<?php echo $_SERVER['REMOTE_ADDR'];?>" />
          <input name="todaysdate" type="hidden" id="todaysdate" value="<?php echo date("F j, Y");?>" />
        </p>
      </form> 
      
      <script language="JavaScript" type="text/javascript">
//You should create the validator only after the definition of the HTML form
var frmvalidator = new Validator("forgotform");
frmvalidator.addValidation("email","req","Please enter your Email Address !!");
frmvalidator.addValidation("email","email","Please enter a valid email address !!");
</script>

2. Next, this is the complete PHP code that would execute on submitting the above form.

forgotprocess.php

PHP Code:

  <?php require_once('connection.php');?>
<?php
//Connect to server and select databse.
mysql_select_db($database_vin_conn, $vin_conn);

// value sent from form
$email=$_POST['email'];
$ip=$_POST['ip'];
$todaysdate=$_POST['todaysdate'];
// table name
$tbl_name=registered_users;

$sql3="SELECT firstname, forgot_passcode FROM temp_data WHERE forgot_email='$email'";
$result3=mysql_query($sql3);
$count2=mysql_num_rows($result3);
if($count2==0){

// select firstname from table where e-mail = $email
$sql="SELECT firstname FROM $tbl_name WHERE email='$email'";
$result=mysql_query($sql);

// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"
$count=mysql_num_rows($result);

// compare if $count =1 row
if($count==1){
$rows=mysql_fetch_array($result);
$firstname=$rows['firstname'];

$forgot_passcode = sha1(uniqid(rand()));

$sql2="INSERT into temp_data (firstname, forgot_passcode, forgot_email)VALUES('$firstname', '$forgot_passcode', '$email')";
$result1=mysql_query($sql2);

// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email;

// Your subject
$subject="Action required for Forgot Password Request";

// From
$headers = 'from: MySite.com Support <noreply@mysite.com>' . "\r\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'Bcc: webmaster@mysite.com' . "\r\n";
$headers .= 'Return-Path: noreply@mysite.com' . "\r\n";
// Your message
$message="<html><head><center><img src=http://www.mysite.com/src/emaillogo.jpg></center></head><body>
<br><br><font size=2 face=Verdana>
Dear $firstname,
<br><br>
You have requested to reset your password on Mysite.com from IP address $ip. If you did not request this, please delete this email.
<br><br>
To reset your password, please visit the following URL:
<a href=http://www.mysite.com/reset_password.php?passkey=$forgot_passcode>http://www.mysite.com/reset_password.php?passkey=$forgot_passcode</a>
<br><br>
When you visit the above URL, your password will be reset, and the new password will be emailed to you.
<br><br>
The Admin,<br>
Mysite.com
<br><br>
<b>TimeStamp:</b> $todaysdate</font>
<br><br><br><hr><font size=1 face=Verdana>I hate spam as much as you do and really care for your privacy, view our <a href=http://www.mysite.com/privacy.php>Privacy Policy</a>.</font>
</body></html>";

// send email
$sentmail = mail($to,$subject,$message,$headers);
}

// else if $count not equal 1
else {
header('Location: forgot_invalidemail.php');  
exit;
}

// if your email succesfully sent
if($sentmail){
header('Location: forgot_linkmailed.php');  
exit;
}
else {
echo "Unable to complete Forgot Password Request. Please try again OR Contact Mysite.com";
}
}
// else if $count2 not equal to 0 which means user has already requested password reset earlier.
else{
$rows1=mysql_fetch_array($result3);
$firstname1=$rows1['firstname'];
$forgot_passcode1=$rows1['forgot_passcode'];
// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email;

// Your subject
$subject="Action required for Forgot Password Request";

// From
$headers = 'from: MySite.com Support <noreply@mysite.com>' . "\r\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'Bcc: webmaster@mysite.com' . "\r\n";
$headers .= 'Return-Path: noreply@mysite.com' . "\r\n";
// Your message
$message="<html><body><head><center>
<img src=http://www.mysite.com/src/emaillogo.jpg>
</center></head>
<br><br><font size=2 face=Verdana>
Dear $firstname1,
<br><br>
You have requested to reset your password on Mysite.com from IP address $ip. If you did not request this, please delete this email.
<br><br>
To reset your password, please visit the following URL:
<a href=http://www.mysite.com/reset_password.php?passkey=$forgot_passcode1>http://www.mysite.com/reset_password.php?passkey=$forgot_passcode1</a>
<br><br>
When you visit the above URL, your password will be reset, and the new password will be emailed to you.
<br><br>
The Admin,<br>
Mysite.com
<br><br>
<b>TimeStamp:</b> $todaysdate</font>
<br><br><br><hr><font size=1 face=Verdana>I hate spam as much as you do and really care for your privacy, view our <a href=http://www.mysite.com/privacy.php>Privacy Policy</a>.</font>
</body></html>";

// send email
$sentmail1 = mail($to,$subject,$message,$headers);
if($sentmail1){
header('Location: forgot_linkmailed.php');  
exit;
}
else{
echo "Unable to complete Forgot Password Request. Please try again OR Contact Mysite.com";
}
}
// Written by webwizzy. Copyright tech6.com
?>

3. Notes:-

a) You'll notice the email part written twice in the code. This will take care of whether the user is requesting password reset for the first time, or has requested earlier too.
b) Replace mysite with your own site name.
c) Create file forgot_invalidemail.php with simple text saying Invalid Email or email does not exist in our registered users group.
d) Create file forgot_linkmailed.php with simple text saying Success: Password Reset link mailed.
e) I have added a Bcc header in the email so you (the admin) gets a copy of the mail too. This can help you know how many people how often are forgetting their password lol. You may remove it if you want.

webwizzy · #2 11-04-2009, 10:02 PM

4. So the user got the email with a password reset link. Now when he follows the link, reset_password.php is executed which updates his password in the table with a random password, as well as emails him the new temporary password.

reset_password.php

PHP Code:

  <?php require_once('connection.php');
?>
<?php
$colname_rsDisplay = "-1";
if (isset($_GET['passkey'])) {
  $colname_rsDisplay = $_GET['passkey'];
}
mysql_select_db($database_vin_conn, $vin_conn);

$ip=$_SERVER['REMOTE_ADDR'];
$todaysdate=date("F j, Y");

// Retrieve data from table where row that match this passkey
$sql1="SELECT * FROM temp_data WHERE forgot_passcode ='$colname_rsDisplay'";
$result1=mysql_query($sql1);

// If successfully queried
if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);

// if found this passkey in our database, retrieve data from table "temp_data"
if($count==1){
$rows=mysql_fetch_array($result1);
$email=$rows['forgot_email'];
$firstname=$rows['firstname'];

// Generating new random password
$random_password=sha1(uniqid(rand()));
$new_password=substr($random_password, 0, 8);
$encrypted_password=hash('sha256',$new_password);

// Updating the password in database with $encrypted_password
$sql2="UPDATE registered_users SET password = '$encrypted_password' WHERE email = '$email'";
$result2=mysql_query($sql2);

// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email;

// Your subject
$subject="Password Request Confirmed !! Your login details here.";

// From
$headers = 'from: MySite.com Support <noreply@mysite.com>' . "\r\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'Bcc: webmaster@mysite.com' . "\r\n";
$headers .= 'Return-Path: noreply@mysite.com' . "\r\n";
// Your message
$message="<html><body><head><center>
<img src=http://www.mysite.com/src/emaillogo.jpg>
</center></head>
<br><br><font size=2 face=Verdana>
Dear $firstname,
<br><br>
As you requested, your password has now been reset. Your new login details are as follows:
<br><br>
<b>Email:</b> $email<br>
<b>Password:</b> $new_password
<br><br>
I recommend that you should login with the above details now and edit your password from Profile section.
<br><br>
The Admin,<br>
Mysite.com
<br><br>
<b>Your IP:</b> $ip<br>
<b>TimeStamp:</b> $todaysdate</font>
<br><br><br><hr><font size=1 face=Verdana>I hate spam as much as you do and really care for your privacy, view our <a href=http://www.mysite.com/privacy.php>Privacy Policy</a>.</font>
</body></html>";

// send email
$sentmail = mail($to,$subject,$message,$headers);
}

// else if $count not equal 1
else {
header('Location: forgot_invalidlink.php');  
exit;
}

// if your email succesfully sent
if($sentmail){
header('Location: forgot_success.php');
}
else {
echo "Unable to complete Forgot Password Request. Please try again OR Contact Mysite.com";
}
if($result2){

// Delete information of this user from table "temp_data" that has this passkey
$sql3="DELETE FROM temp_data WHERE forgot_passcode = '$colname_rsDisplay'";
$result3=mysql_query($sql3);
}
}
// Written by webwizzy. Copyright tech6.com
?>

5. Notes:-

a) Replace mysite with your own site name.
b) Create file forgot_invalidlink.php with simple text saying, Invalid Link followed, or the account is already activated.
c) Create file forgot_success.php with simple text saying, Password Successfully changed.

TaL · #3 12-05-2009, 10:29 PM

Nice job webwizzy

The only issue I have found so far is that privacy.php was not a file we made in the first part. The privacy policy was just part of register.php. I just copied my policy from register.php and pasted it into a privacy.php file and it seems to works fine.

Again....Good Job

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

TECH6.0

PHP User Registration System - Forgot Password