login_forget.php

   1 <?php
   2
   3 include("header.php");
   4 include_once("conn.php");
   5
   6 if(isset($_GET["email"])){ $_GET["email"] = mysql_real_escape_string($_GET["email"]); }
   7 if(isset($_GET["reset_hash"])){ $_GET["reset_hash"] = mysql_real_escape_string($_GET["reset_hash"]); }
   8 if(isset($_POST["new_password_1"])){ $_POST["new_password_1"] = mysql_real_escape_string($_POST["new_password_1"]); }
   9 if(isset($_POST["new_password_2"])){ $_POST["new_password_2"] = mysql_real_escape_string($_POST["new_password_2"]); }
  10
  11 $login_form = '
  12         <form action="http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?email='.$_GET["email"].'&reset_hash='.$_GET["reset_hash"].'" method="post">
  13                 <center>
  14                         <table>
  15                                 <tr><td>new password:</td><td><input name="new_password_1" type="password"></td></tr>
  16                                 <tr><td>new password (again):</td><td><input name="new_password_2" type="password"></td></tr>
  17                                 <tr><td><input type="submit" value="Update"/></td><td></td></tr>
  18                         </table><br>
  19                 </center>
  20         </form>';
  21
  22 $passwd_req = '
  23         <ol>
  24                 <li>Passwords below must match.</li>
  25                 <li>Must be at least 5 characters long.</li>
  26                 <li>Must contain at least one number and one letter.</li>
  27                 <li>Must be different original password.</li>
  28         </ol>
  29 ';
  30
  31 if(isset($_GET["reset_hash"])) {
  32         if(isset($_POST["new_password_1"]) && isset($_POST["new_password_2"])) {
  33                 if(strlen($_POST["new_password_1"]) < 5) {
  34                         echo $passwd_req;
  35                         echo $login_form;
  36                         exit();
  37                 }
  38                 if($_POST["new_password_1"] != $_POST["new_password_2"]){ // passwords not the same
  39                         echo '<br><br><b>Passwords Not The Same<br>Please Try Again</b><br><br>';
  40                         echo $login_form;
  41                         exit();
  42                 }
  43                 //if($_POST["new_password_1"]) // must contain a number
  44                 if(!preg_match('/[a-zA-Z]/', $_POST["new_password_1"])) {
  45                         echo "No Letter found in password!";
  46                         echo $passwd_req;
  47                         echo $login_form;
  48                         exit();
  49                 }
  50                 if(!preg_match('/[0-9]/', $_POST["new_password_1"])) {
  51                         echo "No Number found in password!";
  52                         echo $passwd_req;
  53                         echo $login_form;
  54                         exit();
  55                 }
  56                 $sql = 'update users set password = sha1("'.$_POST["new_password_1"].'") where email="'.$_GET["email"].'"';
  57                 $result = mysql_query($sql);
  58                 echo "Your Password Has Been Changed.<br><br><a href='login.php'>Click Here</a> to Login.";
  59                 exit();
  60         } else {
  61                 $sql = 'select count(*) from users where email="'.$_GET["email"].'" and reset_hash="'.$_GET["reset_hash"].'"';
  62                 $result = mysql_query($sql);
  63                 $row = mysql_fetch_row($result);
  64                 if($row[0] == 1) {  // user and hash correct
  65                         echo '<br><br>Please Create A New Password</b><br><br>';
  66                         echo $login_form;
  67                 }
  68         }
  69         exit();
  70 } else if(isset($_GET["email"])) {
  71         // lookup message in users table
  72         $sql ='select count(*) from users where email="'.$_GET["email"].'"';
  73         $result = mysql_query($sql);
  74         $row = mysql_fetch_row($result);
  75         if($row[0] >= 1) {  // user found
  76                 // generating hash to send to user in an email at this address
  77                 $sql = 'select user_id, email, password, name, attempts, first_login, last_click, NOW() from users where email = "'.$_GET["email"].'"';
  78                 $result = mysql_query($sql);
  79                 $row = mysql_fetch_row($result);
  80                 $sha = sha1($row[0].$row[1].$row[2].$row[3].$row[4].$row[5].$row[6].$row[7].microtime());
  81
  82                 $sql = 'update users set reset_hash = "'.$sha.'" where email = "'.$_GET["email"].'"';
  83                 $result = mysql_query($sql);
  84
  85                 $subject = $_SERVER['SERVER_NAME']." Password Assistance";
  86                 $message = "
  87 A request has been made to reset the password for an account at this website.
  88
  89 Click the link below to reset your password.
  90
  91 http://".$_SERVER['HTTP_HOST'].$_SERVER[PHP_SELF]."?email=".$_GET["email"]."&reset_hash=".$sha."
  92
  93 If clicking the link does not allow you access, you should be able to copy an paste it into your browser.";
  94
  95                 // WARNING: send message to user - do not display on screen
  96                 mail($_GET["email"], $subject, $message);
  97         }
  98         echo "A message sent to your e-mail address.<br><br>Please follow the directions contained inside to reset your password.";
  99         exit();
 100 } else {
 101
 102 ?>
 103         <form action='login_forget.php' method="get">
 104         <center>
 105         Please enter your e-mail address for this account.<br><br><br>
 106         We'll send you an e-mail with instructions on how to get logged in.<br><br><br>
 107         e-mail:<input type="text" name="email"><br><br><br>
 108         <button>Continue</button>
 109         </center>
 110         </form>
 111 <?php
 112
 113 }
 114
 115 include_once("footer.php"); ?>