-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathreset-password-auth.php
65 lines (64 loc) · 2.76 KB
/
reset-password-auth.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php
/**
* reset-password-auth.php
* Script to authenticate password reset request.
* The script will check to see if the user with the given username or
* email exists in the database and produce appropriate error message if not.
* If the user exists, en email with the link to reset password is sent to
* the email address associated with the user account.
*/
include_once('db_connect.php');
$info = $_POST['username_or_email'];
$user = $db->prepare("SELECT * FROM user WHERE username=? OR email=?;");
$user->execute(array($info, $info));
session_start();
if ($user->rowCount() == 0) {
$_SESSION['no_account'] = true;
header("Location:password-reset.php");
exit(0);
}
//override previous password reset request if it is in database
$user = $user->fetch();
$userID = $user['id'];
$prev_request = $db->prepare("SELECT * FROM password_reset_auth WHERE user_id=?;");
$prev_request->execute(array($userID));
if ($prev_request->rowCount() > 0) {
$delete_prev_request = $db->prepare("DELETE FROM password_reset_auth WHERE user_id=?");
$delete_prev_request->execute(array($userID));
}
$unique = false;
while (!$unique) {
$auth = generateRandomString(32);
$auth_check = $db->prepare("SELECT * FROM password_reset_auth WHERE auth=?");
$auth_check->execute(array($auth));
$unique = $auth_check->rowCount() == 0;
}
$time = date('Y-m-d H:i:s');
$insert_reset_auth = $db->prepare("INSERT INTO password_reset_auth VALUES (?, ?, ?)");
$insert_reset_auth->execute(array($userID, $auth, $time));
sendResetEmail($user, $auth);
$_SESSION['reset_success'] = true;
header("Location:login.php");
function sendResetEmail($to_user, $auth_token)
{
$to_address = $to_user['email'];
$request_uri = $_SERVER['REQUEST_URI'];
$url_length = strlen($request_uri) - strrpos($request_uri, "/");
$url = "http://" . $_SERVER['SERVER_NAME'] . substr($request_uri, 0, $url_length) .
"/password-reset.php?auth=$auth_token"; //returns the current URL
$subject = "Password Reset: Rate my Professor";
$message = "<html>To initiate the password reset process for your Rate my Professor account, click on the link below:<br><br>" .
"<a href='$url'>$url</a><br><br>" .
"If clicking on the link above doesn't work, please copy and paste the URL in a new broswer window instead.<br><br>" .
"If you did not make the request, you can safely disregard this email. <br><br> Sincerely,<br>Rate my Professors Team </html>";
mail($to_address, $subject, $message, "Content-Type: text/html");
}
function generateRandomString($length = 10)
{
$alphanumeric = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $alphanumeric[rand(0, 61)];
}
return $randomString;
}