Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi
  I just want to say that your book and the code that you provide is absolutely great.  I am trying to get a small Web System coded using your scripts as templates.  For the most part I have had no real problems but I am getting over my head a bit.
  I am using your forgot_passord.php script (16.10) and using it to send the user a password that I have chosen, rather than have them chose one.  As such I have done some modifications to the way it is done.  I have created a password table which has 4 columns. The first one being a autoincrement 'uniq_num', the second a password of my creation 'pass_orig', the third column 'pass_sha1' is a sha1 of the second row and finally a 'taken' which is numeric zero being not taken and 1 being taken.
  Your forgot_password.php uses the sha1 of whatever was enter by the user and this is my link between users and passwords tables.  If a sha1 from the users table exists and is the same as one in my passwords table then email them the retrieved real password.
The code:

<?php # Script 16.10 - forgot_password.php
// This page allows a user to reset their password, if forgotten.

require_once ('includes/config.inc.php'); 
$page_title = 'Forgot Your Password';
include ('includes/header.html');

if (isset($_POST['submitted'])) {
	require_once (MYSQL);

	// Assume nothing:
	$uid = FALSE;

	// Validate the email address...
	if (!empty($_POST['email'])) {
	
		// Check for the existence of that email address...
		$q = 'SELECT user_id FROM users WHERE email="'.  mysqli_real_escape_string ($dbc, $_POST['email']) . '"';
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
		
		if (mysqli_num_rows($r) == 1) { // Retrieve the user ID:
			list($uid) = mysqli_fetch_array ($r, MYSQLI_NUM); 
		} else { // No database match made.
			echo '<p class="error">The submitted email address does not match those on file!</p>';
		}
		
	} else { // No email!
		echo '<p class="error">You forgot to enter your email address!</p>';
	} // End of empty($_POST['email']) IF.
	
	if ($uid) { // If everything's OK.

		// Retrieve existing password:

		$p = 'SELECT pass FROM users WHERE email="'.  mysqli_real_escape_string ($dbc, $_POST['email']) . '"';
		$r = mysqli_query ($dbc, $p) or trigger_error("Query: $p\n<br />MySQL Error: " . mysqli_error($dbc));
		$s = mysqli_fetch_row($r);
		printf ("%s",$s[0]);
		$t = 'SELECT pass_orig FROM passwords WHERE pass_sha1="d702c2481758553e35dbcbdbd32c115963cde353"';
	//	$t = 'SELECT pass_orig FROM passwords WHERE pass_sha1=$s[0]';
		$u = mysqli_query ($dbc, $t) or trigger_error("Query: $t\n<br />MySQL Error: " . mysqli_error($dbc));
		
		$row = mysqli_fetch_row($u);
                    
		// Run Queries

                 if ($row)  { // If it ran OK.
		
			// Send an email:
			$body = "Your password to log into Linux-4-Life has been retrieved for you. It will be sent by separate Email. If you think your password may have been compromised, please change it using our appropriate link.";
			mail ($_POST['email'], 'Your retrieved item will be sent by separate Email.', $body, 'From: admin@linux-4-life.com');
			mail ($_POST['email'], 'As Discussed', $row[0], 'From: admin@linux-4-Life.com');
			
			// Print a message and wrap up:
			echo '<h3>Your password has been retrieved. You will receive the password at the email address with which you registered. Once you have logged in, you should protect the password it in whatever way you find appropriate.</h3>';
			mysqli_close($dbc);
			include ('includes/footer.html');
			exit(); // Stop the script.
			
		} else { // If it did not run OK.
			echo '<p class="error">Your password could not be retrieved due to a system error. We apologize for any inconvenience.</p>';
			mail ('admin@linux-4-life.com', 'We may have a problem in forgot_password.php', 'From: admin@linux-4-life.com'); 
		}

	} else { // Failed the validation test.
		echo '<p class="error">Please try again.</p>';
	}

	mysqli_close($dbc);

} // End of the main Submit conditional.

?>

<h1>Retrieve Your Password</h1>
<p>Enter your email address below and your password will be sent to you.</p> 
<form action="forgot_password.php" method="post">
	<fieldset>
	<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p>
	</fieldset>
	<div align="center"><input type="submit" name="submit" value="Retrieve My Password" /></div>
	<input type="hidden" name="submitted" value="TRUE" />
</form>

<?php
include ('includes/footer.html');
?>

The line that works is line 39 while the one that doesn't is line 40.  How do I get the value 's[0]' to be properly interpreted and come from the table as opposed to having to enter it directly, as on line 39.  The // comments of course have to be removed to get the problem line (line 40) to be used. The echo statement gives the correct value but I cannot get it to use the first element of the array 's'.

  I have really struggled with this and can go no further until I resolve it. Thank you so much for any help you can provide.

Robert

Link to comment
Share on other sites

Hello, and welcome to the forums.

 

Your problem on line 40 is that single quotes in PHP literally interpret everything.

As such, the string 'SELECT pass_orig FROM passwords WHERE pass_sha1=$s[0]' will be stored in the variable $t as follows:

'SELECT pass_orig FROM passwords WHERE pass_sha1=$s[0]'

 

That's right. It's exactly the same. All characters within single quotes are interpreted as simply literal characters without any special meaning. You can, however, use double quotes to resolve the issue.

 

With that said, printing out array values within quotes requires that you also wrap the array expression within a set of curly brackets. In other words, the following will work:

"SELECT pass_orig FROM passwords WHERE pass_sha1={$s[0]}"

Please let us know if you have any other questions.

Link to comment
Share on other sites

Hello, and welcome to the forums.

 

Your problem on line 40 is that single quotes in PHP literally interpret everything.

As such, the string 'SELECT pass_orig FROM passwords WHERE pass_sha1=$s[0]' will be stored in the variable $t as follows:

'SELECT pass_orig FROM passwords WHERE pass_sha1=$s[0]'

 

That's right. It's exactly the same. All characters within single quotes are interpreted as simply literal characters without any special meaning. You can, however, use double quotes to resolve the issue.

 

With that said, printing out array values within quotes requires that you also wrap the array expression within a set of curly brackets. In other words, the following will work:

"SELECT pass_orig FROM passwords WHERE pass_sha1={$s[0]}"

Please let us know if you have any other questions.

Hi HartleySan

  Thank you so much.  I had to add the single quotes around the curly braces and it worked perfectly.  Thank you so much.

	//	$t = 'SELECT pass_orig FROM passwords WHERE pass_sha1="d702c2481758553e35dbcbdbd32c115963cde353"';		$t = "SELECT pass_orig FROM passwords WHERE pass_sha1='{$s[0]}'";

:)

Robert

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...