public function set_new_key() { //now we're going to set the random key $this->random_key = random_key(20); //before we can set that random key to the object //we NEED to make sure it doesn't exist while (Reset_Password::is_random_key_being_used($this->random_key)) { //while this key does it exist, keep looping through and generating new //random keys until it already exists $this->random_key = random_key(20); } }
// create the page $page = new Page(); $page->name = "Reset my Password"; // check to see if a user is already logged in if ($session->is_logged_in) { $session->message("You are already logged in! To use the Reset my Password feature, please logout first."); redirect_head(ROOT_URL); } //make sure the key is setup as a GET superglobal if (!isset($_GET['reset_key'])) { $session->message("You have a bad URL, please copy the correct URL."); redirect_head(ROOT_URL); } //at this point, we know there is a key set //now we need to make sure the key exists $the_key = Reset_Password::find_by_name($_GET['reset_key'], 'random_key'); if (!$the_key) { $session->message("You have a bad URL, please copy the correct URL."); redirect_head(ROOT_URL); } //at this point, we now know that there is a key entered //also, we now know that the key actually exists //so now, we need to do the following checks //1. Make sure that the request entered does not belong to a user who's deleted. //2. Make sure that the request entered is the latest request for that user. //3. Make sure that the request entered has not already been used. //4. Make sure that the request entered is less than 24 hours old. //check #1 if ($the_key->user_wk->is_deleted == '1') { $session->message("You cannot reset a password for a disabled account."); redirect_head(ROOT_URL);
// the user submitted the form if (isset($_POST["submit"])) { $found_user = User::find_by_name($database->escape_value($_POST['email_address']), 'email_address'); if ($found_user) { //the e-mail address was found //now we need to make sure it does not belong to an account that is deleted if ($found_user->is_deleted == '1') { $session->message("The account associated to that Email Address is disabled."); } } else { //the e-mail address is not associated with an account $session->message("The e-mail address you entered does not belong to an account."); } //only execute here if there was an account found, AND it is not soft-deleted if (empty($session->message())) { $new_request = new Reset_Password(); $new_request->set_new_key(); $new_request->user_wk = $found_user->user_wk; //save the record $new_request->save(); //send e-mail here //only if we're not in a local environment if (!$am_i_local) { $to = $found_user->email_address; $subject = "Password Reset Request"; $message = "\n\t\t\t\t<html>\n\t\t\t\t\t<head>\n\t\t\t\t\t\t<title>" . $subject . "</title>\n\t\t\t\t\t</head>\n\t\t\t\t\t<body>\n\t\t\t\t\t\t<p>Your username is: <strong>" . $found_user->username . "</strong></p>\n\t\t\t\t\t\t<p>Please the link below to reset your password. The link will be acive for 24 hours.</p>\n\t\t\t\t\t\t<p><a href=\"" . ROOT_URL . "reset_my_password.php?reset_key=" . $new_request->random_key . "\">" . ROOT_URL . "reset_my_password.php?reset_key=" . $new_request->random_key . "</a></p>\n\t\t\t\t\t</body>\n\t\t\t\t</html>\n\t\t\t\t"; // Always set content-type when sending HTML email $headers = "MIME-Version: 1.0" . "\r\n"; $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; // More headers $headers .= 'From: <support@pet_adoption.com>' . "\r\n";