With the help of srJJ I can now receive the password reset link in the mail.
http://example.com/login-system/reset.php?email=example%40gmail.com&key=523db8c57a3d17d0860fa705c4c24ec62efc0c68f2f1443e39938361424099f1
Despite the fact that the data is correct, it does not show me the form to enter the new password, showing me the following message.
¡Ingresó una URL inválida para restablecer la contraseña!
this is my filereset.php
<?php
session_start();
include "require.php";
if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email'])) {
$email = $_GET['email'];
}
if (isset($_GET['key']) && (strlen($_GET['key']) == 64)) {
$key = $_GET['key'];
}
if (isset($email) && isset($key)) {
//$email = $con->escape_string($_GET['email']);
//$key = $con->escape_string($_GET['key']);
$active_defaul = 1;
$stmt = $con->prepare("SELECT * FROM users WHERE email=? AND email_code=? AND active=?");
$stmt->bind_param("ssi",$email,$key,$active_defaul);
$stmt->execute();
$stmt->store_result();
//if ($result->num_rows == 0 )
if ($stmt->num_rows>0) {
echo "¡Ingresó una URL inválida para restablecer la contraseña!";
} else {
echo '
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<form action="reset_password.php" method="post">
<label>New Password</label>
<input type="password" name="password" autocomplete="off"/>
<label>Confirm New Password</label>
<input type="password" name="password_again" autocomplete="off"/>
<input type="hidden" name="email" value="'.$email.'">
<input type="submit" name="form_reset" value="Guardar contraseña" />
</form>
</body>
</html>';
}
} else {
echo "¡Acceso denegado!";
}
?>
And this would be my file where the password will be sent although it would be better to do it all in the same filereset.php
my filereset_password.php
session_start();
include "require.php";
if (isset($_POST['form_reset'])) {
$email = $_POST['email'];
$password = $_POST['password'];
$hash_password = password_hash($password, CRYPT_BLOWFISH);
$stmt = $con->prepare("UPDATE users SET password= ? WHERE email=? OR username=?");
$stmt->bind_param("sss", $hash_password,$email,$email);
if($stmt->execute()){
header("location: correcto.php")
} else {
header("location: error.php");
}
}
I cannot check if there are errors reset_password.phpbecause the file is not validating me reset.php, I am working individually on the files once I see that if everything works, I will implement it with AJAXand then through jQuery or javascript I will avoid sending requests to the server with invalid data in the formula.
As you already know, it
num_rowsreturns the number of rows that the query brought.By doing this:
you are implementing a backwards logic , because you tell the code: if the query returned any rows, say that the URL is invalid , when it should be the opposite, if the query returns rows it is because it indeed found a valid URL.
Therefore, you can make a comparison based on
In any case, you should know that the best method to know if there are rows in a table with a certain criteria is
COUNT, especially when the only thing you need in that context is to know if there is data or not. But you can go deeper into that when you solve your problem with logic :-)