0

can someone please help me my password reset form is a bit of a mess, im really new to php and mysql so please please dont blame me for getting it wrong. but i really do need some help with it please.

Basically it all works, it lets a user type in an email and then will send them a new password. ( i havnt attached the send email/password bit of code because i dont need help with that bit.) the only problem with this is it isnt checking the email, its not checking if the email exists in my database and it lets a user type in any email they want. but if they type an email thats not in the database i want it to say sorry no email of that type exists or something. i need to know how i can get it to check that the email the user types actually exists.

and then either says email sent or there was a problem. 

<?php
    $page_title = "Login";
    include('includes/header.php');
    include ('includes/mod_login/login_form2.php'); 

    if(!isset($_GET['err']) || isset($_GET['err'])=='') {
    $_GET['err'] = '0';
    }       
    ?>

    <?   
    $html_form = "<form name=\"forgotpasswordform\" action=\"sendpassword.php\" method=\"post\">
              <table border=\"0\" cellspacing=\"0\" cellpadding=\"3\" width=\"100%\">
                <tr>
                  <td width=\"15%\">Email Address:</td>
                  <td><input name=\"forgotpassword\" type=\"text\" value=\"\" id=\"forgotpassword\" size=\"30\"/></td>
                </tr>
                <tr>
                <td>&nbsp;</td>
                </tr>
                 <tr>
                  <td colspan=\"2\"><input type=\"submit\" name=\"submit\" value=\"Submit\" class=\"mainoption\" /></td>
                </tr>
              </table>
            </form>";


    if ($_GET['err'] == '1') { //error if message is not filled ?>

            <? echo $html_form; ?>

       <?

    } else if ($_GET['err'] == '2') { // error if email is not found

        ?>
            <h1>&nbsp;</h1>
            <p>
            Email Not Found!
            </p>
            <br />
        <?

    } else if ($_GET['err'] == '3') { // EMAIL SENT :D

         ?>
            <h1>&nbsp;</h1>
            <p>
            Thanks! Your new password has been sent.
            </p>
            <br />
        <?

    } else if ($_GET['err'] == '0') { // otherwise print email form 
       ?>


            <? echo $html_form; ?>    


        <? 
    }

    ?>

then we link to sendpassword.php:

<?php

/**
 * ShuttleCMS - A basic CMS coded in PHP.
 * Password Reset - Used for allowing a user to reset password
 * 
 * @author Dan <[email protected]>
 * @version 0.0.1
 * @package ShuttleCMS
 */
define('IN_SCRIPT', true);
// Start a session
session_start();

//Connect to the MySQL Database
include 'includes/_config/connection.php';


/*
 * Checks form field for email  
 */

if ($_POST['forgotpassword']=='') {
        header('Location: http://localhost/ptb1/recover_password.php?err=1');
}
if(get_magic_quotes_gpc()) {
        $forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword']));
} 
else {
        $forgotpassword = htmlspecialchars($_POST['forgotpassword']);

}


/*
 * Checks if the email exists
 */

$sql = "SELECT COUNT(*) FROM ptb_users WHERE email = '$forgotpassword'";
$result = mysql_query($sql)or die('Could not find member: ' . mysql_error());

if (!mysql_result($result,0,0)>0) {
    header('Location: http://localhost/ptb1/recover_password.php?err=2');
}
Improve this question
2
  • 1
    Bit of a mess is an understatement. Why are you doing it this way, which is full of extremely scary SQL injection bugs, instead of using a popular PHP framework? As a note, new applications should absolutely not use mysql_query because it's being removed in future versions of PHP and is very dangerous if not used correctly. Commented Feb 13, 2013 at 21:30
  • how is $_GET['err'] ever set, why is it GET at all? Commented Feb 13, 2013 at 21:31

1 Answer 1

Reset to default
1

You're looking for something like this:

if(mysql_num_rows($result)) {
    // user found
} else {
    // no user found
}

Keep in mind your code is open to sql injection and you shouldn't be using the mysql_ extension. Use PDO instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

PDO is a whole ton better than mysql_query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.