This question already has an answer here:
I am trying to implement a password reset functionality. Here is my code
index.php
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method = "POST">
<input type = "email" name = "recover_email" placeholder = "Enter Your Email Address" required/>
<input type = "submit" name= "recover" value = "Recover"/>
</form>
<?php
if(isset($_POST['recover']) && $_POST['recover'] == 'Recover'){
$email = $_POST['recover_email'];
$sql = $db->prepare("SELECT * from registered_users where email = ?");
$sql->bind_param("s",$email);
$sql->execute();
$sql = $sql->get_result();
if(($getRowCount = $sql->num_rows) == 1){
$rowName = $sql->fetch_assoc();
$code = rand(1000, 1000000);
mail();
$updateCode = $db->prepare("UPDATE registered_users SET passwordResetCode = ? where email=?");
$updateCode->bind_param("is",$code,$email);
$updateCode->execute();
$updateCodeResult = $updateCode->get_result();
}
}else if(!(($getRowCount = $sql->num_rows) == 1) && $email != ''){
//do something
}
}
?>
Email body being sent:
http://www.website.com/passwordreset.php?code=$code&email=$email
The mail, sql update and the link details are being sent fine.
Now I try to update the password clicking on the link on my next page.
passwordreset.php
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method = "POST">
<table cellpadding = "5%" style="width:70%">
<tr>
<td>
<input type = "password" id="newPassword" name = "newPassword" placeholder = "New Password" minlength="8" required />
</td>
</tr>
<tr>
<td>
<input type = "password" id= "confirmnewPassword" name = "confirmnewPassword" placeholder = "Confirm New Password" minlength="8" required />
</td>
</tr>
<tr>
<td>
<input type = "submit" name= "setNewPassword" value = "Set Password"/>
</td>
</tr>
</table>
</form>
<?php
if(isset($_GET['code'])){
$getEmail = $_GET['email'];
$getCode = $_GET['code'];
if(isset($_POST['setNewPassword']) && $_POST['setNewPassword'] == 'Set Password'){
$newPassword = $_POST['newPassword'];
$confirmNewPassword = $_POST['confirmnewPassword'];
if($newPassword == $confirmNewPassword){
$updatePassword = $db->prepare("UPDATE registered_users SET password = ?, re_password = ? where email = ? and passwordResetCode = ?");
$updatePassword->bind_param("sssi",$newPassword,$confirmNewPassword,$getEmail,$getCode);
$updatePassword->execute();
}else if($newPassword != $confirmNewPassword){
}
}
}
?>
If I remove all the $_GET functionality from this code, it works fine, but it seems that $_GET does not fetch my email and code from the url at all.
</div>