Database and Password Security for Web Applications - The Password Management Script (
Page 2 of 4 )
The password management script is responsible for retrieving and sending a password to a user. This happens when a registered user forgets his or her password and needs to be reminded of what the password was. The logic of the script is very simple; it presents the user with a form that takes the username and email address. It then checks to see if the user exists in the database. If the user does exist, it retrieves the password of the user and sends it to the user using the PHP mail() function.
<?
if(isset($_POST['key'])){
$errmsg=””;
$error=false;
//1. Check if form fields are filled in
if(!filledin($_POST)){
//print "Please enter your username and email.";
$errmsg=”Please make sure that all required form fields are filled in”;
$error=true;
}
//check that the username and email address is string
if( is_numeric($_POST['name']) && (is_numeric($_POST['email]))){
//print "Please enter a valid username and email address.";
$errmsg=" Please enter a valid username and email address.";
$error=true;
}
//Check if email address has correct format
if(!eregi("^[a-z0-9]+[a-z0-9_-]*(.[a-z0-9_-]+)*@[a-z0-9_-]+(.[a-z0-9_-]+)*.(
[a-z]+){2,}$", $_POST['email'])) {
$errmsg=" Please enter a valid email address.";
$error=true;
}
if(!$error){
$name=$_POST['name'];
$em=$_POST['mail'];
//2. Check if entered name exist
$query="Select pw from users where uname='$name'" or die(mysql_error());
$result= mysql_query($query);
if(mysql_num_rows($result)>0){
for ($i=0; $i<mysql_num_rows($result); $i++) {
$row = mysql_fetch_assoc($result);
$pass=$row['pw'];
$to="$emrn";
$from="From: admin@mysite.comrn";
$msg="Password:$passrn";
$msg .="Username:$namern";
$msg .="Please change your password as soon as you logonrn";
$subject="From Admin re:Your Login Passwordrn";
}
}else{
print "Your username is either spelled incorrect or does not exist, please try again";
exit;
}
//4. Send password to user
if(mail($to,$subject,$msg,$from)){
print "Your password has been sent to <b>$em</b>" ;
}else{
print "could not send email";
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/primary/Templates/was.dwt.php" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<!-- InstanceBeginEditable name="doctitle" -->
<title>WebSecure::Password</title>
<!-- InstanceEndEditable -->
<!-- InstanceBeginEditable name="head" -->
<!-- InstanceEndEditable -->
<link href="Templates/was.css" rel="stylesheet" type="text/css" />
</head>
<body>
<table width="99%" border="1">
<tr>
<td bgcolor="#333333" class="header">Web Secure</td>
</tr>
<tr>
<td><!-- InstanceBeginEditable name="main" -->
<form name="form1" method="post" action="../forgotten.php">
Please fill in the following:
<br>
<table width="445" border="0">
<tr>
<td width="187"><div align="left">Username</div></td>
<td width="242"><input name="name" type="text" size="40"></td>
</tr>
<tr>
<td><div align="left">Email <font color="#FF0000" size="2">(password will be sent to this email address)</font> </div> </td>
<td><input name="mail" type="text" size="40">
<input type="hidden" name="key" /></td>
</tr>
<tr>
<td> <input name="submit" type="submit"> </td>
<td></td>
</tr>
</table>
</form>
<!-- InstanceEndEditable --></td>
</tr>
<tr>
<td class="copy">©2008</td>
</tr>
</table>
</body>
<!-- InstanceEnd --></html>
/ 4 
