Please close thx

Hello,

I was following this tutorial because I am trying to add a reset password to my member log in page. https://daveismyname.com/reset-password-script-bp

Though when i follow the guide, I get an error for this line

$pattern = '/^[^@]+@[^srn'";,@%]+$/';

Code (markup):

Is it on my end on in this line of code?

Full script code found here as well.

<?php
//This code runs if the form has been submitted
if (isset($_POST['submit']))
{

// check for valid email address
$email = $_POST['remail'];
$pattern = '/^[^@]+@[^srn'";,@%]+$/';
if (!preg_match($pattern, trim($email))) {
  $error[] = 'Please enter a valid email address';
}

// checks if the username is in use
$check = mysql_query("SELECT email FROM members WHERE email = '$email'")or die(mysql_error());
$check2 = mysql_num_rows($check);

//if the name exists it gives an error
if ($check2 == 0) {
$error[] = 'Sorry, we cannot find your account details please try another email address.';
}

// if no errors then carry on
if (!$error) {

$query = mysql_query("SELECT username FROM members WHERE email = '$email' ")or die (mysql_error());
$r = mysql_fetch_object($query);

//create a new random password

$password = substr(md5(uniqid(rand(),1)),3,10);
$pass = md5($password); //encrypted version for database entry

//send email
$to = "$email";
$subject = "Account Details Recovery";
$body = "Hi $r->username, nn you or someone else have requested your account details. nn Here is your account information please keep this as you may need this at a later stage. nnYour username is $r->username nn your password is $password nn Your password has been reset please login and change your password to something more rememberable.nn Regards Site Admin";
$additionalheaders = "From: <user@domain.com>rn";
$additionalheaders .= "Reply-To: noprely@domain.com";
mail($to, $subject, $body, $additionalheaders);

//update database
$sql = mysql_query("UPDATE members SET password='$pass' WHERE email = '$email'")or die (mysql_error());
$rsent = true;


}// close errors
}// close if form sent

//show any errors
if (!empty($error))
{
        $i = 0;
        while ($i < count($error)){
        echo "<div class="msg-error">".$error[$i]."</div>";
        $i ++;}
}// close if empty errors


if ($rsent == true){
    echo "<p>You have been sent an email with your account details to $email</p>n";
    } else {
    echo "<p>Please enter your e-mail address. You will receive a new password via e-mail.</p>n";
    }

?>

<form action="" method="post">
<p>Email Address: <input type="text" name="remail" size="50" maxlength="255">
<input type="submit" name="submit" value="Get New Password"></p>
</form>

Code (markup):

Don't bash me to much I am just trying to learn how to code. If there is another way or an easier way, to add a better reset password please let me know.

 

Go back to the page you got the code from. In the comments they mention this problem and show you code to use instead.

 

Wow didnt think he would reply so fast. Thanks

 

Not to be grumpy, but that script really isn't worth much in today's world. It uses outdated concepts, and mysql_ to connect to the database (a VERY outdated handler), which means it shouldn't be used at all.

I would've given you a better example, but it's the middle of the night here, and what I've got, while better, is very much made especially for the page it's on, and would need a bit of tweaking before I could post it.

Things to look into, though:

Use either mysqli_ or PDO, and the OO-method, not procedural.
Use prepared statements for doing DB-calls - that way you avoid a lot of the problems with SQL-injection, and get better security for your scripts. Also, it makes repeat DB-tasks a lot easier to maintain.
Look into using proper salting and hashing of the password (md5 has been shunned for years)
You should never provide a password via plain text - even one that is meant to be changed - instead of sending a new password, create a unique identifier, store it in the database, and send a link for the user to click with the identifier as a token - make the identifier impossible to guess - minimum 32 chars, randomized number/character pattern, with dashes, underscores etc. Also make it unique, so if it should happen that the generator spits out to identical strings, it will fail, and do it again.
When the user uses the link with the identifier, you check that against the database, and if the email and identifier is the same, you allow the user to create a new password. That way, even if the user remembers the password after clicking the "forgotten password" link, it will still work, since it hasn't been changed yet.

There are probably more problems with the script you have, but that's off the top of my head.