Forgot Pass - Secret Question - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Forgot Pass - Secret Question

Small problem

Jeigh

1:26 am on Jul 21, 2007 (gmt 0)

I've been working on this script for a secret question for lost password, I think I've nearly got it done but I'm not sure how to do this bit, this is a section of the code::


$fanswerp = "SELECT * FROM users WHERE username='$reuser'";
$fanswerp2 = mysql_query($fanswerp);
while ($rqa = mysql_fetch_array($fanswerp2)){
$answer = $rqa['sanswer'];
}if($answer == '')
{
$answer = md5(rand(0,1000000));
}
 
 if($answer!= $attempt)
 {
 $form->setError($field, "* Secret answer incorrect, please try again $answer, $attempt<br />");
 }

So if the user has not set a secret question the answer will be md5(rand(0,1000000)); and if the answer stored in the database dosn't match the attempt then it will set the error. However since $answer is within the while statement $answer is blank when it is outside of there, however if I put the whole section of the code in the while statement it dosn't work.

Thank You,
Jeigh.

Gibble

2:27 am on Jul 21, 2007 (gmt 0)

Well, your while is looping through all the rows, then you're only performing your if statements on the last row. You 'should' only have one row returned, so it shouldn't matter, but really, that's not the ideal way to do this, it probably should be in the while statement.

Secondly, use an else since answer shouldn't be blank AND not equal to attempt...unless you're allowing them to use a blank answer as valid.

Are you SURE that $answer is being set in the while loop, have you checked it's value? And are you sure there's only one row being returned by your query?

Jeigh

2:42 am on Jul 21, 2007 (gmt 0)

I changed it to use else now:

if($answer == $attempt)
{
echo "Secret Question Correct";
}
else
{
$form->setError($field, "* Secret answer incorrect, please try again $answer, $attempt<br />");
}

and I tried echoing $result within the while statement and it was blank, what code would you suggest using to retrieve the answer? (I'm still rather new to PHP)

Thanks.

Gibble

2:47 am on Jul 21, 2007 (gmt 0)

Is your field name sanswer or SAnswer, etc.

Field names returned by fetch array are case-sensitive.

Gibble

2:49 am on Jul 21, 2007 (gmt 0)

Oh, and after you are done with $fanswerp2 don't forget to call mysql_free_result($fanswerp2) to clear your result set.

Jeigh

3:00 am on Jul 21, 2007 (gmt 0)

Just checked the colum and it is 'sanswer' I also have 'squestion' which I use on the form where they can see their Secret Question and answer it, and that works fine.

And with the mysql_free_result($fanswerp2) I would just use that after the if and else statement?

Thanks again.

Gibble

3:57 am on Jul 21, 2007 (gmt 0)

hmm...lets simplify things.

change your sql to
$fanswerp = "SELECT sanswer FROM users WHERE username='$reuser'";

and then use $rqa[0] instead.

Jeigh

4:23 am on Jul 21, 2007 (gmt 0)

I've got that section working now, It's getting the answer now but when I click on the submit button I get this error:

Secret Question Correct
Warning: Cannot modify header information - headers already sent by (output started at /home/graphics/public_html/process.php:192) in /home/graphics/public_html/process.php on line 228

I'm assuming this is because I have:

if($answer == $attempt)
{
echo "Secret Question Correct";
}

Just fixed that whilst I was posting this :P, I just had to change it back to:

if($answer!= $attempt)
{
$form->setError($field, "* Secret answer incorrect, please try again $answer, $attempt<br />");
}

Of course there is another problem though, now when I click submit it says "Username not entered". I'll post the entire code for that section if anyone wants to give it a quick look over, it'd be very much appreciated.

form:

<?
include("include/session.php");
if($_POST['user']){
$user = $_POST['user'];
$fquery = "SELECT * FROM users WHERE username='$user'";
$fquery2 = mysql_query($fquery);
while ($rq = mysql_fetch_array($fquery2)) {
$questionrow = $rq['squestion'];
}

/*$fanswer = "SELECT sanswer FROM users WHERE username='$user'";
$fanswer2 = mysql_query($fquery);*/
}
?>

include('headeruserinfo.php');
include('navigation.php');
include('content.php');

<?
/**
* Forgot Password form has been submitted and no errors
* were found with the form (the username is in the database)
*/
if(isset($_SESSION['forgotpass'])){
/**
* New password was generated for user and sent to user's
* email address.
*/
if($_SESSION['forgotpass']){
echo "<h1>New Password Generated</h1>";
echo "<p>Your new password has been generated "
."and sent to the email <br>associated with your account. "
."<a href=\"main.php\">Main</a>.</p>";
}
/**
* Email could not be sent, therefore password was not
* edited in the database.
*/
else{
echo "<h1>New Password Failure</h1>";
echo "<p>There was an error sending you the "
."email with the new password,<br> so your password has not been changed. "
."<a href=\"main.php\">Main</a>.</p>";
}

unset($_SESSION['forgotpass']);
}
else{

/**
* Forgot password form is displayed, if error found
* it is displayed.
*/
?>

<h1>Forgot Password</h1>
A new password will be generated for you and sent to the email address<br>
associated with your account, all you have to do is enter your
username.<br><br>
<? echo $form->error("user");?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
<b>Username:</b> <input type="text" name="user" maxlength="30" value="<? echo $form->value("user");?>" />
<input type="hidden" name="subforgot" value="1" />
<input type="submit" value="Get Secret Question">
</form>

<? if($_POST['user']){?>
<form action="process.php" method="POST">
<b>Username:</b> <input type="text" name="reuser" maxlength="30" value="<? echo $form->value("user");?>" />
Secret Question: <? echo $questionrow;?><br />
Secret Answer: <input type="text" name="secanswer" value="Enter Secret Answer..." /><br />
Note: Be careful of spelling.
E-mail:<input type="text" name="femail" />
<input type="hidden" name="subforgot" value="1">
<input type="submit" value="Send New Password" />
</form>
<?
}
}
?>

<?
include('endcontent.php');
include('advert.php');
include('footer.php');

process.php:

$fanswerp = "SELECT sanswer FROM users WHERE username='$reuser'";
$fanswerp2 = mysql_query($fanswerp);
while ($rqa = mysql_fetch_array($fanswerp2)){
$answer = $rqa[0];
}

/*if($answer == '')
{
$answer = md5(rand(0,1000000));
}*/

if($answer!= $attempt)
{
$form->setError($field, "* Secret answer incorrect, please try again $answer, $attempt<br />");
}

/* Errors exist, have user correct them */
if($form->num_errors > 0){
$_SESSION['value_array'] = $_POST;
$_SESSION['error_array'] = $form->getErrorArray();
}

/* Generate new password and email it to user */
else{
/* Generate new password */
$newpass = $session->generateRandStr(8);

/* Get email of user */
$usrinf = $database->getUserInfo($subuser);
$email = $usrinf['email'];

/* Attempt to send the email with new password */
if($mailer->sendNewPass($subuser,$email,$newpass)){
/* Email sent, update database */
$database->updateUserField($subuser, "password", md5($newpass));
$_SESSION['forgotpass'] = true;
}
/* Email failure, do not change password */
else{
$_SESSION['forgotpass'] = false;
}
}

header("Location: ".$session->referrer);
}