1

Ok, so I am sending a link to a user with parameters in the URL like so:

mydomain.com/home/[email protected]&token=85988817a21062f92016a7065c

The user clicks on the link and is taken to reset-password.php. On this page there are 3 fields: Password Confirm Password Math Captcha

I want to update the database with the new password the user submits based on the parameters in the URL. The problem i'm running into is, it is not updating the database with the new password.

Here is my reset-password.php code:

function checkDataValidity(){
if(empty($_POST['password'])){ 
    throw new Exception("Please enter a password."); 
} 
}   

function updateUserPassword($dbHandler) {


try {

    $salt     = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
    $password = hash('sha256', $_POST['password'] . $salt); 
    for($round = 0; $round < 65536; $round++){ 
        $password = hash('sha256', $password . $salt); 
    }

    $urlEmail = isset($_GET['email']) ? $_GET['email'] : '';
    $urlToken = isset($_GET['token']) ? $_GET['token'] : '';

    $query_params = array( 
        ':password' => $password, 
        ':salt' => $salt,
        ':emptyToken' => '',
        ':user' =>  $urlEmail,
        ':token' => $urlToken
    ); 

    $dbHandler->beginTransaction();
    $sql = "UPDATE users SET password = :password, salt = :salt, recovery = :emptyToken  WHERE username = :user AND recovery = :token";
    $stmt = $dbHandler->prepare($sql); 
    $result = $stmt->execute($query_params);
    $dbHandler->commit(); 

    } catch(Exception $dbException){
        $dbHandler->rollback();
        echo 'The following error occured: <br/>'.$dbException->getMessage();
    }

    return true;
}




require("config.php"); //connects to the database
if(!empty($_POST)){
try {
    checkDataValidity();
    $updatePassword = updateUserPassword($db);
    if($updatePassword){
        $message = "Success!";
    } else {
        $message = "Please try again.";
    }
} catch (Exception $e){
    echo 'The following error occured: <br/>'.$e->getMessage();
}   
}

I am not receiving any errors anymore, but I know it has somethins to do with this:

$urlEmail = isset($_GET['email']) ? $_GET['email'] : '';
$urlToken = isset($_GET['token']) ? $_GET['token'] : '';

If I replace this isset($_GET['email']) ? $_GET['email'] : '' with the actual email address in the database, everything works fine. Same thing with token.

So basically what I am trying to do is GET the email and token parameter out of the URL and use that in my sql query as seen above. So when the user submits their new password update the existing password for that user and remove the token from the DB.

Is there something wrong with my code above to GET the parameters in the URL and use that in my query?

Improve this question
16
  • Try debugging by outputting $_GET with echo "<pre>".print_r($_GET,true)."</pre>";. Commented Oct 14, 2014 at 18:47
  • Where does your form post to, the same url including the query string? You might want to add the query variables from the link as hidden form fields so they get POSTed as well and you can use $_POST for everything. Commented Oct 14, 2014 at 18:48
  • On another note, the recommend way to hash passwords is with password_hash(). Commented Oct 14, 2014 at 18:49
  • 2
    Shouldn't updateUserPassword($db) be updateUserPassword($dbHandler) - I didn't see anything assigned to $db. Commented Oct 14, 2014 at 18:50
  • 1
    Well, I see $_GET and I see $_POST. Wondering if your form's action is get/post, you might want to change your $_GETs to $_REQUEST. At this point, I don't know what else to say that will be of any further help. Commented Oct 14, 2014 at 19:02

1 Answer 1

Reset to default
1

The problem is the action attribute of your form. Based on your comment that is:

action="reset-password.php"

Note that there is no query string there, so when the form is posted, there will be no $_GET variables available.

There are 2 options to solve this:

  1. Do everything via POST; you would have to add two hidden form fields with the $_GET['email'] and the $_GET['token'] fields when you build your form:

    <input type="hidden" name="email" value="<?php echo $_GET['email']; ?>">
    <input type="hidden" name="token" value="<?php echo $_GET['token']; ?>">;

  2. Append the query string to the url you use in the action attribute:

    action="reset-password.php?email=<?php echo $_GET['email']; ?>&token=<?php echo $_GET['token']; ?>"

Note that you might need to (should, really...) escape the $_GET variables for use in html and a query string, but php has standard functions for that.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I was in the process of writing this haha. I did not have to append the query string to the url in the action attribute and everything worked! Do I still need to escape the $_GET?
@iamthestreets I always escape my data according to the medium I am outputting to but to be honest for your token it does not seem necessary and I don't know if an e-mail address can contain characters that would invalidate html or a url.
@iamthestreets Putting in an answer to the solution you found would have been nice. You are allowed to put in an answer of your own you know. This way, anyone who was interested in your question, including myself would have seen what the problem was.
I used @jeroen's answer. The only thing he would need to do is remove point number 2 as this is not needed.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.