Home/ Questions/Q 6848815
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T00:54:53+00:00

I’m working on a PHP page that allows the user to reset their password.

  • 0

I’m working on a PHP page that allows the user to reset their password. I have got to the point where a username is entered and an email is sent with a link to change the password.

However when I go to change the password I’m getting the following errors

Notice: Undefined index: email in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\reset-password.php on line 112

Notice: Undefined index: hash in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\reset-password.php on line 112

This is my code for reset-password.php…

<?php
$msg = "";

    // If user is visiting using the link provided in the email
    if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))
        {  
        $email = checkInput($_GET['email']); // Set email variable  
        $hash = checkInput($_GET['hash']); // Set hash variable  

        $search = mysql_query("SELECT email, hash FROM users WHERE email='".$email."' AND hash='".$hash."'") or die(mysql_error());  
        $match  = mysql_num_rows($search);  


        if($match > 0)
            {  
            // There is a match -> show change password form
            changePassForm();
            }
        else
            {  
            // No match -> dont show password form (invalid url)
            $msg .= '<div class="success" align="center">An email with a link to reset your password has been sent to your registered email account. Please click the link to reset your password.</div>';
            }  

        }
    // Else user is not visting from a link provided in an email.
    else
        // First check if user has already submitted form to send change password link
        {
        if(isset($_POST['submit-request']))
            {
            $username = checkInput($_POST['username']); 
            $query = "SELECT username FROM users WHERE username = '$username'";
            $result = mysql_query($query);
            $search = mysql_num_rows($result);
            // Checks if the username they entered exists - if so, call sendResetMail function. 
            if($search > 0)
                {
                $msg .= '<div class="success" align="center">An email with a link to reset your password has been sent to your registered email account. Please click the link to reset your password.</div>';  
                sendResetMail(); // Calls the sendMail function - sends the activation email to the user.
                }
            // Else username does not exist in database
            else
                {
                $msg .= '<div class="error" align="center">That username does not exist. Please try again.</div>';
                requestForgotPassEmail();
                }
            }
        // If user has not already submitted form, show them form.
        else
            {
            requestForgotPassEmail();
            $msg .= "request email";
            }
        }





    /* Initialize  empty containers for the errors */
    $rpnewpass_errors = "";
    $rpnewpasschk_errors = "";
    $msg = "";


    // If changePassForm has been submitted
    if(isset($_POST['submit-change']))
        {
        $newpass=isset($_POST['newpass']) ? checkInput($_POST['newpass']) : '';
        $newpasschk=isset($_POST['newpasschk']) ? checkInput($_POST['newpasschk']) : '';


        /* Checks all fields were entered */  
        if(!$_POST['newpass'] || !$_POST['newpasschk'])
            {
            $msg .= '<div class="error" align="center">You didn\'t a required field - please complete all the fields</div>';
            }

        else
            {
            /* Once all fields are entered - perform form validation */

            /* Checks the new password field is entered */      
            if(empty($newpass))
                {
                $newpass=false;
                $rpnewpass_errors .= "You didn't enter a new password";
                }

            /* Checks if the password contains at least 8 characters, lower/upper case letters and a number. */
            if(preg_match("/^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $newpass) === 0)
                {
                $msg .= '<div class="error" align="center">Password must be at least 8 characters and contain at least one lower case letter, one upper case letter and a number</div>';
                }

            /* Checks the verify new password field is entered */
            if(empty($newpasschk))
                {
                $msg .= '<div class="error" align="center">You didnt verify your new password.</div>';
                }

            /* Checks if the new password and verify new password match */
            if($newpass != $newpasschk)
                {
                $msg .= '<div class="error" align="center">Sorry, your passwords do not match.</div>';
                }

            /* Checks if all error containers are empty, then proceeds with password change */
            if(empty($rpnewpass_errors) && empty($rpnewpasschk_errors))
            {
            $query="SELECT username FROM users WHERE email = '$email' AND hash = '$hash'";
            echo $query; // for troubleshooting purposes, variables are echoing empty
            $result=mysql_query($query);
            $num=mysql_num_rows($result);

            if($num == 1)
                {
                $row=mysql_fetch_array($result);
                $md5newpass=md5($newpass);
                $query="UPDATE users SET password = '$md5newpass' WHERE username = '$row[0]'";
                $result=mysql_query($query);

                if(mysql_affected_rows() == 1) 
                    {
                    $msg .= '<div class="error" align="center">Your password has been changed successfully</div>';
                    }

                else
                    {
                    $msg .= '<div class="error" align="center">Your password could not be changed. Please try again</div>';
                    }
                    }
                else
                    {
                    $msg .= '<div class="error" align="center">Your username and password do not match our records</div>';
                    }
                }
            }
        }





?>

I guess I’m somewhere/somehow losing the GET variables from the link but not sure how I can get around this – its been a long day and I’ve been stuck on this for a while so apologies for any obvious mistake!

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You positive $email and $hash are set on this line?

        $query="SELECT username FROM users WHERE email = '$email' AND hash = '$hash'";
    echo $query; // for troubleshooting purposes, variables are echoing empty

    You set it here, but only in a conditional:

    if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))

    You should probably not tell the user if the username doesn’t exist, and also write the requests to a separate DB table based on a single token instead of relying on a get var for both email and hash. Just my opinion.

    • 0