After running the initial checks on the form values, the code gets to the most important bit of the program, which is to see if the user and email address actually exists in the database. Remember, anyone can enter any email address with the correct username and try to get the password sent to an email address that is not connected to the username. Therefore, in this program, we will guard against this tactic by checking (in the database) to see if the username and email address entered are connected:

if(!$err){

$cleanuname = mysql_escape_string($_POST['uname']);

$cleanemail = mysql_escape_string($_POST['email']);

$unamecheck = "SELECT email,name,sname FROM users WHERE username='".$cleanuname."' and email = '".$cleanemail."'";

$result=mysql_query($unamecheck);

$num=mysql_num_rows($result);

if($num > 0){

$row = mysql_fetch_assoc($result);

$thepass = $row['upass'];

$theName = $row['name'];

Once we’ve established that the password actually belongs to the person requesting it, we then proceed to create a email message, and send the password to the email address provided.

//build email headers

//this text will appear in the subject line of the email

$subject = "Project Management - Password Recovery";

//this is the recipient of the email

$to = $cleanemail;

//sender name

$from_name = "Project Management Application";

//sender address

$from_email = "website@mywebsite.com";

$headers = "From: " . $from_name . " <" . $from_email . ">";

//build message

$msg = "<html>

<head>

<title>Project Management</title>

<link rel='stylesheet' type='text/css' href='http://www.yourwebsitelocationhere.com/loginstyle.css'>

</head>

<body>

<table width='100%' border='0' cellspacing='0' cellpadding='0'>

<tr>

<td><p>Dear <b>".$theName."</b></p>

Below is the password you requested:<br />

<br />

<b>Password:</b> ".$thepass.";

</td>

</tr>

</table>";

$msg .= "</body>

</html>";

mail($to, $subject, $msg, $headers);

}else{

If the information that the user provides does not match up, we set the appropriate error message and display it in the password form.

$err=true;

$errmsg .="The information you entered is incorrect or does not exists. ";

}

}

}//end submit

Like the other forms, the password form allows a space on the form to display the error message. 

<?php if(isset($errmsg)){?>

<tr>

<td colspan="2" class="errmsg"><?php echo $errmsg; ?></td>

</tr>

<tr>

<td colspan="2">&nbsp;</td>

</tr>

<tr>

<?php

}

?>

Conclusion

That is all there is to the user authentication system for the project management application. I am sure there are some things that can be improved, and no doubt some of you will do so. We’ve covered a lot of ground in the last couple of articles dealing with user authentication and I hope that it will give some of you more ideas on how to make your login scripts more secure.