Forgot Password in Form Creator Form CMS
This script is called forgot-password_.php
The Forgot Password in Form Creator Form CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts.
- HTML Form Creator
- Edit Options in HTML Form Creator Form
- Administrator Page for HTML Form Creator
End-User HTML Form Creator Scripts
- HTML Form Creator—Register with Captcha
- HTML Form Creator—View Profile
- HTML Form Creator—Edit Profile
- HTML Form Creator—Search and Match
- HTML Form Creator—Search and Match — Security
- HTML Form Creator—Search and Match — JavaScript
- HTML Form Creator—Search and Match — Form
- HTML Form Creator—Search and Match — PHP
- HTML Form Creator—Enter Record in Form
- HTML Form Creator—View Record in Form
- HTML Form Creator—Profile and Account Management
- HTML Form Creator—Login to Profile and Account Management
- HTML Form Creator—Logout of Profile and Account Management
- HTML Form Creator—Delete Group Account
- HTML Form Creator—Forgot User Name
- HTML Form Creator—Forgot Password
- HTML Form Creator—Form to Send Private Message
- HTML Form Creator—Send Private Message
- HTML Form Creator—Private Message Outbox
- HTML Form Creator—Private Message Inbox
- HTML Form Creator—Delete Private Message from Inbox
- HTML Form Creator—Delete Private Message from Outbox
- HTML Form Creator—Private Message Logout
- HTML Form Creator—Search and Match Session Monitoring
- HTML Form Creator—Configure File for Database Connection
- HTML Form Creator—Captcha Script for Registration and Login
Administrative HTML Form Creator Scripts
The purpose of this script is to provide a way in which the user can renew the password in his user profile when he forgot it so cannot log in.
First, we include the config.php script to ensure that our connection to our database is made correctly. This file has the codes below in it:
$theemailaddress = "yoursite@yoursite.com"; //EDIT ME
$roothostname = "localhost";
$theusername = "yourusername"; //EDIT ME
$thepassword = "yourpassword"; //EDIT ME
$thedatabasename = "yourdb"; //EDIT ME
mysql_connect("".$roothostname."","".$theusername."","".$thepassword."") or die(mysql_error());
mysql_select_db("".$thedatabasename."") or die(mysql_error());
We make our script a bit more secure when we define a named constant '_NODIRECTACCESS' before we include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.
We get the POSTed email address and stick it in the PHP variable $email. Then we make sure it is not too long or too short. If it is, we give them an alert and send them off to the registration script HTML Form Creator—Register with Captcha. Then we run a standard email validation script and if their email fails, we give them an alert and send them off to the registration script. This validator uses the preg_match() function, which performs a regular expression match on $email. We use the mysql_real_escape_string() function to make their input safe to use in a MySQL statement that searches for $email, since it escapes special characters in the string for use in our SELECT . . . WHERE SQL statements.
We use the mysql_num_rows() function to determine whether or not the email address we search for in the MySQL database table was found, and, if not, we give the user an alert "This email address does not exist. Please try again." If it is found, we use the mysql_fetch_array() function to get the results in an array and we grab the contents of the username and email fields from this array. We use these in an email. In order to send the user his user name, we use an email since it is safer than looking it up for them on the spot. The visitor may indeed know someone's email address, but that does not prove it's HIS email. We dispel doubts by sending the user the info knowing that only the true owner of that email address will get the info.
We use the PHP function array_merge() to merge 3 arrays, which we build using the range() function, which creates an array with a specified range of elements. In this case, we want A to Z, a to z, and 0 to 9. Then we use the mt_rand() function and the count() function to loop through 8 iterations, getting random characters from the array, concatenating them together into a new password 8 characters long.
Next we use $o=make_salt();$h=z_____z();—functions from the config.php file—to create a salt, and then a hash. The hash is formed from the new salt and the new password (now in $P). Then we stick this new hash and this new salt into the record which has the email address entered in the form. We give the user an alert telling him the new password.
We use these in an email. In order to send the user his user name and password, we use an email since it is safer than looking it up for them on the spot. The visitor may indeed know someone's email address, but that does not prove it's HIS email. We dispel doubts by sending the user the info knowing that only the true owner of that email address will get the info. We have revealed a new password to this visitor, but did not reveal which user name it belongs with. This we do in the email, which belongs to someone with a user name which he may need reminding about.
It is obvious where the $email and $U and $E variables get their data, but not so obvious where $psbhostemailaddress comes from. It is defined in the config.php file: Configure File for Database Connection. It is used as the From in the email's headers data. The variable uses a weird name, but you can alter these PHP variables to your tastes in the config.php file in the includes folder as long as you are consistent and do the same in the password forgetting and username forgetting apps as well.
None of these variable names, (except the email one) in config.php are important and you may change them to something else as long as both places they are used in the config.php script use the same name. (The exception is the email address variable which needs to be the same in the config.php script and any other script that uses it. In our HTML form creator CMS system, this includes only the password forgetting and username forgetting apps.) Note: do not use simple variable names like $p, $pp, $e, etc. in config.php since they may already be in use elsewhere in our CMS system. Now it is obvious where $psbhostemailaddress comes from—us trying to avoid variable clash.
The form is standard stuff, and it contains a link to the page HTML Form Creator—Login to Profile and Account Management. The form uses an onsubmit event to run the JavaScript function validateemail(), which validates the email, or refuses to submit the form, if the email won't validate.
The script below is called: forgot-password_.php
<?php
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
$email=$_POST['email'];
if(isset($email)){
if (strlen($email)<6 || strlen($email)>65) {echo '<script language="javascript">alert("Please enter 6 to 65 characters for email address."); window.location = "register-with-captcha_.php"; </script>';
}else{
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) {
echo '<script language="javascript">alert("That email address is not valid."); window.location = "register-with-captcha_.php"; </script>';
}else{
$email=mysql_real_escape_string($email);
if($email<>""){
$check_user_data = mysql_query("SELECT * FROM my_members WHERE email = '$email'") or die(mysql_error());
if(mysql_num_rows($check_user_data) == 0)
{echo '<script language="javascript">alert("This email address does not exist. Please try again.")</script>;';unset($email);}
else {$row = mysql_fetch_array($check_user_data);$E=$row['email'];$U=$row['username'];
$aZ09 = array_merge(range('A', 'Z'), range('a', 'z'),range(0, 9));
$P='';
for($c=0;$c<8;$c++){$P.=$aZ09[mt_rand(0,count($aZ09)-1)];}
$o=make_salt();$h=z_____z();
$I = $_SERVER['REMOTE_ADDR'];
$D = date("d-m-Y");
$sql="UPDATE my_members SET password='$h', ip='$I', signup_date='$D', salt='$o' WHERE email='$email'";
$res=mysql_query($sql);
if($res){
echo "<script language='javascript'>alert('Your new password is ".$P."');</script>";
}else{
$N=1;unset($email);
echo '<script language="javascript">alert("Entries were NOT made—something went wrong."); window.location="login_.php";</script>';}
$to = $email;
$subject = "Here are your login details . . . ";
$message = "This is in response to your request for login details as administrator of your group.\n\nYour User Name is ".$U.".\n\nYour Password is ".$P.".\n\nDon't give your password to anyone in your group, but do save it somewhere safe.\n\nRegards,\n\nthe management";
$headers = "From: ".$psbhostemailaddress."\r\nReply-To: ".$email;
if(mail($to, $subject, $message, $headers)){echo "<center><font face='Verdana' size='2'><b><br><br><br><br><br>THANK YOU</b> <br>Your passwords are posted to your email address. Please check your mail soon.</center>";}
else{echo "<center><font face='Verdana' size='2' color=red>There is some system problem in sending login details to your address. <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";}
}}}}}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Password Recovery—Forgotten Password</TITLE>
<meta name="description" content="Password Recovery—Forgotten Password">
<meta name="keywords" content="Password Recovery,forgot password,forgotten password,php,javascript, dhtml, DHTML">
<style type="text/css">
BODY {margin-left:0; margin-right:0; margin-top:0;text-align:left;background-color:#bbb}
p, li {font:13px Verdana; color:black;text-align:left}
h1 {font:bold 28px Verdana; color:black;text-align:center}
h2 {font:bold 24px Verdana;text-align:center}
h3 {font:bold 15px Verdana;}
.main {position:absolute;width:700px;top:150px;left:150px;padding:30px;text-align:left;border:8px groove blue;background-color:#ddd}
</style>
<div class='main'>
<p><center><B><h2>Password Replacement—Forgotten Password</h2></B></center></p>
<form name="MyForm" method="POST" onsubmit="return validateemail()" action="forgot-password_.php">
<label for='email'><b>Email address: </b><input type="text" name="email" value="" size="30" maxlength='60'></label><br><br>
<center><input type="submit" value="Replace Forgotten Password"><br><br></center>
<center><input type="reset" value="Reset"><br><br></center>
<center><input type="button" value="Login" onClick="window.location='login_.php'"><br><br></center>
</form>
</div>
<script language="javascript">
function validateemail(){
var ck_email = /^[A-Za-z0-9-_]+(\.[A-Za-z0-9-_]+)*@([A-Za-z0-9-_]+\.)?([A-Za-z0-9-_]+(\.[A-Za-z]{2,6})(\.[A-Za-z]{2})?)$/;
if (document.MyForm.email.value.search(ck_email)==-1)
{alert("That email address is not valid.");return false}
return true}
</script>
</body></html>