One useful feature for our framework would be to allow our customers to easily reset their password or to send them notification of their username.
When a customer forgets their password, we can't just e-mail them a copy, because passwords are stored as a hash in the database. We also can't just reset the password, as fraudulent requests for new passwords would become a nuisance for customers.
The solution to this is to generate a password reset key when a customer informs us that they have forgotten their password. We then e-mail the customer a link to a "reset password" page, with the reset key in the URL. The reset key is used to verify the customer resetting the password is the owner of that user account.
Our users table already has a suitable field for this, pwd_reset_key; all we need now is the code!
This section of code simply creates a reset key for the user, and e-mails it to the customer, as part of a special URL the customer can use to reset their password.
$email = $this->registry->getObject('db')->
sanitizeData( $_POST['email'] );
$sql = "SELECT * FROM users WHERE email='{$email}'";
$this->registry->getObject('db')->executeQuery( $sql );
if( $this->registry->getObject('db')->numRows() == 1 )
{
$changes = array();
$changes['pwd_reset_key'] = generatePasswordKey(8);
$this->registry->getObject('db')->updateRecords('users', $changes, "email='{$email}'");
// email the customer a link to // user/reset-password/userid-pwd_reset_key
}
function generatePasswordKey( $length = 8 )
{
$characters = '0123456789abcdefghijklmnopqrstuvwxyz';
$string = '';
for ( $i = 0; $i < $length; $i++ )
{
$string .= $characters[mt_rand(0, strlen($characters))];
}
return $string;
}
This code would be part of the "reset password" page (which is accessed using the "reset password" URL). This splits part of the URL to extract the user ID and the password reset key. It then updates the user's password, assuming their password and confirmation match and the reset key matches that of the user ID.
$data = explode('-', $urldata[2]);
$userid = intval( $data[0] );
$key = $data[1];
if( $_POST['new_password'] == $_POST['confirm_newpassword'] )
{
$pwd = md5( $_POST['new_password'] );
$sql = "SELECT * FROM users WHERE ID={$userid} AND pwd_reset_key='{$key}'";
$this->registry->getObject('db')->executeQuery( $sql );
if( $this->registry->getObject('db')->numRows() == 1 )
{
$changes = array();
$changes['password'] = $pwd;
$this->registry->getObject('db')-> updateRecords('users', $changes, "ID=" . $userid);
// e-mail customer confirmation?
}
}
If a customer forgets their username, we will require them to enter their e-mail address into a reminder form. If they can't remember their e-mail address, there is little we can do automatically, but they could still get in contact and inform us of their delivery address or confirm some details from a recent order, should they need to.
$email = $this->registry->getObject('db')->
sanitizeData( $_POST['email'] );
$sql = "SELECT username FROM users WHERE email='{$email}'";
$this->registry->getObject('db')->executeQuery( $sql );
if( $this->registry->getObject('db')->numRows() > 0 )
{
$data = $this->registry->getObject('db')->getRows();
// send email to the customer, include their username
}