This very same concept can be applied to password recovery. To illustrate how this
is accomplished, consider the revised logins table shown in Listing 14-11.
CHAPTER 14 ?– AUTHENTICATING YOUR USERS 385
Listing 14-11. A Revised logins Table
CREATE TABLE logins (
id TINYINT UNSIGNED NOT NULL AUTO_INCREMENT,
email VARCHAR(55) NOT NULL,
username VARCHAR(16) NOT NULL,
pswd CHAR(32) NOT NULL,
hash CHAR(32) NOT NULL,
PRIMARY KEY(id));
Suppose one of the users found in this table forgets his password and thus clicks
the Forgot password? link, commonly found near a login prompt. The user will arrive
at a page in which he is asked to enter his e-mail address. Upon entering the address
and submitting the form, a script is executed similar to that shown in Listing 14-12.
Listing 14-12. A One-Time URL Generator
// Create unique identifier
$id = md5(uniqid(rand(),1));
// User's email address
$address = $_POST[email];
// Set user's hash field to a unique id
$query = "UPDATE logins SET hash='$id' WHERE email='$address'";
$result = mysql_query($query);
$email = <<< email
Dear user,
Click on the following link to reset your password:
http://www.example.com/users/lostpassword.php?id=$id
email;
// Email user password reset options
mail($address,"Password recovery","$email","FROM:services@example.com");
echo "
Instructions regarding resetting your password have been sent to
$address
";
?>
386 CHAPTER 14 ?– AUTHENTICATING YOUR USERS
When the user receives this e-mail and clicks the link, the script lostpassword.
Pages:
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465