0

I am working on a "forgotten username" system I'm using two forms in two different pages so the code goes as follows:-

recover_page.php:

  <form action="security.php" method="post" enctype="multipart/form-data">
    Please Enter your email address:<br>
    <input type="text" name="email" value="<?php $_POST['email']?>">
    <input type="submit" value="submit"> 
    </form>

its php code:

<?php
include "session.php";
include "database/db.php";
$mode_allowed = array('username','password');
if(isset($_GET['mode']) === false && in_array($_GET['mode'],$mode_allowed)===false){
header('location:index.php');
}
?>

now the second page (security.php):

    <form action="security.php" method="POST" enctype="multipart/form-data">
        <p> Answer this question <p>
    <select type="text" selected="selected" name="security_question" value="<?php $security_question?>">
                            <option name="security_question" value="<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
    $array = mysql_fetch_array($security_question);
    echo $array[0];
    ?>">
    <?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
    $array = mysql_fetch_array($security_question);echo $array[0]; ?>                  
    </option> </select> <br>
    <input type="text" name="answer"/> <br>
    <input type="submit" value="submit"> 
</form>

its php code : // code to check if the email exists in the database or no

<?php
    include "session.php";
    include "database/db.php";

        $mode_allowed = array('username','password');
            if(isset($_POST['email']) === true && empty($_POST['email']) === false){
                if(email_exists($_POST['email']) === false){
                    echo "Sorry, we can't find this email";
                    exit();
                }
            }
    ?>

//code to search for the answer in the database and compare it with the answer that the user has entered in the field "answer"

   <?php
            echo "<input type='hidden' name='email' value=' '".$_SESSION['email']."' '>";
        if(isset($_POST['answer'])){
            $answer = $_POST['answer'];
            if(!empty($answer)){
                $sql = mysql_query("SELECT `username` FROM `users` WHERE `email` ='".mysql_real_escape_string($_SESSION['email'])."' AND `answer`='".mysql_real_escape_string($answer)."'");
                        if(mysql_num_rows($sql) == 1){
                        header('location:last.php?success');                
                    }else {
                        echo "Wrong answer";
                    }

                }else{
                    echo "<script type='text/javascript'>alert('you must answer this question');</script>";
                }
            }
        ?>

Now this works fine when i write the sql statment without the hidden input like this:-

$sql = mysql_query("SELECT `username` FROM `users` WHERE `answer`='".mysql_real_escape_string($answer)."'");

and also, i can echo out the $_SESSION['email']; and it will give me the right value of the hidden field. so why is the sql unable to get this value?!

Mohammad99
  • 47
  • 2
  • 2
  • 11
  • Ar you sure that email exists in your database? – Iqbal Malik Oct 02 '13 at 10:02
  • Not sure as this is difficult to follow, but I can't see anything that sets $_SESSION['email'], nor any form that has an answer field to be no empty and allow it to get into the code to check the answer. Similarly it seems odd that you put out a form field in your script for the hidden email form in a section of code that appears to be processing the form put out on the previous page. – Kickstart Oct 02 '13 at 10:09
  • You should use PDO or MySQLi with prepared statements instead of the mysql_ functions, they've been deprecated. –  Oct 02 '13 at 10:17
  • Also you don't seem to be setting $email; to $_POST['email'] –  Oct 02 '13 at 10:19
  • @IqbalMalik Yes my brother, wallahy i am sure of it :) – Mohammad99 Oct 02 '13 at 10:20
  • @Kickstart i did that because i was trying every possible way to get the value of the "email" from the previous form – Mohammad99 Oct 02 '13 at 10:21
  • @Fred when i put $_POST['email']; the code simply don't run and i don't retrieve data from the database – Mohammad99 Oct 02 '13 at 10:23
  • Your previous form does not have email in it. If you need to carry it over from the first page then it needs to be passed over (probably in a hidden field). – Kickstart Oct 02 '13 at 10:23
  • @Kickstart still not working my friend! – Mohammad99 Oct 02 '13 at 10:30
  • Can you modify the code posted to show what you are now doing? Also try putting print_r($_REQUEST); at the top of each script to see which form fields are arriving at that script. – Kickstart Oct 02 '13 at 10:32
  • @Kickstart I have written print_r($REQUEST); and yes it is showing me the email that was entered in the first form "email" field, but still not retrieving the data from the dabatase, this is the only problem really, i am so sure of the database columns but i really don't know what's wrong! – Mohammad99 Oct 02 '13 at 10:39
  • @Kickstart btw i am so thankful for your effort to help, thank u really – Mohammad99 Oct 02 '13 at 10:40
  • I am struggling to follow your code more (as you have it currently there is nothing in the 2nd page to carry through the email field), so it would help if you updated your original post. However I would also suggest checking for leading or trailing white space around the field (ie, use the trim function). – Kickstart Oct 02 '13 at 10:52
  • 1
    @Kickstart i have seperated the two big php codes and put some comments to make it easier for u dear – Mohammad99 Oct 02 '13 at 11:08
  • In the line echo ""; you have a couple of extra quotes and spaces, and further as far as I can see that line to carry over the email is not within a form. – Kickstart Oct 02 '13 at 11:13
  • @Kickstart i am so sorry to be rude, can u edit this line for me and tell me in which form should i add to? – Mohammad99 Oct 02 '13 at 11:30
  • 1
    @Kickstart I am really thankful for you man, i will keep working on it, i really want to thank you so much for what you have done for me. please accept this online gift : www.quran.com – Mohammad99 Oct 02 '13 at 11:56

1 Answers1

0

Editing the code for you last script (putting the code and the html together), something like this:-

<?php
include "session.php";
include "database/db.php";

$Message = "";

$mode_allowed = array('username','password');
if(isset($_POST['email']) === true && empty($_POST['email']) === false)
{
    if(email_exists($_POST['email']) === false)
    {
        echo "Sorry, we can't find this email";
        exit();
    }
}
if(isset($_POST['answer']))
{
    $answer = $_POST['answer'];
    if(!empty($answer))
    {
        $sql = mysql_query("SELECT `username` FROM `users` WHERE `email` ='".mysql_real_escape_string($_SESSION['email'])."' AND `answer`='".mysql_real_escape_string($answer)."'");
        if(mysql_num_rows($sql) == 1)
        {
            header('location:last.php?success');                
        }
        else 
        {
            $Message = "Wrong answer";
        }
    }
    else
    {
        echo "<script type='text/javascript'>alert('you must answer this question');</script>";
    }
}
?>
<form action="security.php" method="POST" enctype="multipart/form-data">
    <p> Answer this question </p>
    <select type="text" selected="selected" name="security_question" value="<?php $security_question?>">
        <option name="security_question" value="<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
        $array = mysql_fetch_array($security_question);
        echo $array[0];
        ?>">
        <?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
        $array = mysql_fetch_array($security_question);echo $array[0]; ?>                  
        </option> 
    </select> <br>
    <input type="text" name="answer"/> <br>
    <input type='hidden' name='email' value='<?php $_POST['email']?>'>
    <input type="submit" value="submit"> 
    <?php if ($Message != '') echo "<br /> $Message";?>
</form>
Kickstart
  • 21,403
  • 2
  • 21
  • 33