Forgotten Email Script

BenSeb

Hey

I'm new here, but wondered if anyone could take a quick look at the logic for my 'forgotten password' script. It has the following features:

Checks if password request has been made in the last 12 hours, if so logs but denies password
Emails the user their username, plus a randomly generated 'memorable' password
Allows the user to select a username if one does not already exist

As you can see, some of the 'venues' will not have a username and/or password, because we created some entries manually before the existance of such. So the script has to enable to user to amend these details securely. Thats what i'm worried about -- how easy is it to hack my script and gain access??????

<head>
<title>Forgotten Password</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="robots" content="noindex,nofollow" />
<link href="/guidestyle.css" rel="stylesheet" type="text/css" />
</head>
<? require("/home/user/public_html/whatson/db/connectguidedb.php");

// for security purposes we should only send to registered email address (stored in db)
// we also need to let them select username and password for ease of use. Perhaps send a link to their email account?

if ($_POST["sent"] == "true"){
$IP = $_SERVER["REMOTE_ADDR"];
if ($IP) {$HOST = gethostbyaddr($IP);}
$Datesub = Date("D M j G:i:s T Y");               

$EntID = $_POST["EntID"];
$success = 0; // fail-safe - track if we can send the password or not

//process form here -- check for exceeded requests (1 per 12 hours)
$strLatestReq = "SELECT DateStamp FROM PassRequest WHERE EntID = '$EntID' AND Success = '1' AND (Date_Add(DateStamp, INTERVAL 12 HOUR) > CURDATE())";
if (!@$RS_query = mysql_query($strLatestReq)) {exit("Could not execute query: " . mysql_error());}

if(mysql_num_rows($RS_query) >0){
 $success = 0;} else { $success = 1; }


// now see if we can proceed<br>


//ensure no more than 1 request per 12 hours
if ($success == 1){
$strGetUser = "SELECT username FROM Ent WHERE EntID = '$EntID'";
if (!@$RS_query = mysql_query($strGetUser)) {exit("Could not execute query: " . mysql_error());}
if($row = mysql_fetch_assoc($RS_query)){
extract($row);
}

// see if no username exists in database - if so, has one just been entered on form?
if (!$username){$username = mysql_escape_string($_POST["user"]);}

// if still no username, we should prompt for one
if (!$username){
echo <<<END
<FORM action="" method="Post">
As this is the first time you have requested a password, please select a username you would like to use. You can make this up .. it might be the name of your venue, or a memorable word.
<BR>username: <input name="user" type="text" size="15" maxlength="15">
<input type=hidden name='EntID' value='$EntID'>
<input type=hidden name='sent' value='true'>
<input name="Submit" type="submit" value="Get Password">
</FORM>
END;
exit; //stop processing

}

include("/home/user/public_html/promotion/password_generate.php");
$passwordgen = secure_password_generate();
$md5passwordgen = MD5($passwordgen);

$strUPDATE = "Update Ent Set password = '$md5passwordgen', username = '$username' WHERE EntID = '$EntID'";

if (!@$RS_query = mysql_query($strUPDATE)) {exit("Could not execute query. Please try again later");}

$strINSERT = "INSERT INTO PassRequest ( IP, EntID, Success )"
		." VALUES('$IP','$EntID', '$success')";

if (!@$RS_query = mysql_query($strINSERT)) {exit("Could not execute query: " . mysql_error());}


echo "Thanks, we will send you a new password.<BR><BR> If for any reason you do not receive an email within 2 hours, please email [email]info@domain.com[/email] for support";
$emailtxt = "Thank you for requesting your account details for domain.com Promotor Centre"
."\n\nYour Username is: $username"
."\nPassword is: $passwordgen"
."\n\nPlease logon at [url]http://www.domain.com/promotion/promotorlogon.php[/url]"
."\n\n\nThis password request was generated by : $IP ($HOST) on $Datesub";
mail($email,"Your Password for Skiddle.com Promotor Centre",$emailtxt);
unset($passwordgen);
}else{echo "<!--$strLatestReq-->Sorry, you have already requested a new password today. To ensure promotors do not receive too many emails from this system, there is a limit on the number of requests. Please email [email]info@domain.com[/email] if you still need a password";}

}else{


?>

<br> 
<form name="form1" method="post" action=""><br>
<input type="hidden" name="sent" value="true">
  <label for="select">Venue: </label>
    <select name="EntID" id="select">
  <? $sql = "SELECT EntID, Name, Town FROM Ent ORDER BY Name, Town";

if (!@$RS_query = mysql_query($sql)) {exit("Could not execute query: " . mysql_error());}

while($row = mysql_fetch_assoc($RS_query)){
extract($row);

echo "<OPTION VALUE='$EntID'>$Name [$Town]</OPTION>";
}
?>
 </select>
  <input type="submit" name="Submit" value="Get Password" id="Submit">
  <br>
  </label>
  <p>&nbsp;</p>

</form>

<? } ?>

planetsim

Well the best person to know is yourself. If you can hack it anyone can.. Now i didnt test it or anything.

But as your supressing errors (Using @)
Try and make an error handling thats nice and neat so you know where errors are.

Also a good way to see if its hackable

is in the top of the script use error_reporting(E_ALL);

It wont say.

This sucks as anyone could hack it. Just outputs errors (I guessed you gather that)

Now with that. Errors are holes and most hackers look for the holes in your script.

BenSeb

aaah cheers for that good idea

the only errors i get are:

Warning: Undefined index: user in /home/***/public_html/promotion/getpass.php on line 40

which basically refer to where i am using:

if ($_POST["sent"] == "true"){
...
}

i guess because the form was not submitted so that variable does not exist .. is there a safer way of checking if a form has been submitted, as a guess someone could forge the post headers quite easily. perhaps a host check as well.. or am i getting paranoid?

planetsim

in your case use isset()