I created a system in case the user forgets the password, but I have doubts about one thing ... HTML + PHP system
<html>
<head>
<link rel="icon" href="favicon-16.png" sizes="16x16">
<link rel="icon" href="favicon-32.png" sizes="32x32">
<meta charset="UTF-8">
<title> ::RECUPERAR SENHA:: </title>
</head>
<body>
<link href="css/forget.css" rel="stylesheet">
<script type="text/javascript" src="js/knautiluzPassMathFramework.js"></script>
<script src='https://www.google.com/recaptcha/api.js'></script>
<div id="menu"></div>
<div id="resetSenha">Insira aqui o seu e-mail:</div>
<form name="botaoy" action="" method="post">
<br>
<input type="hidden" name="password" id="password" value="none"></input>
<br>
<input type="email" required placeholder="E-mail" name="emailReset" id="emailReset" pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,3}$">
<br>
<input type="text" required placeholder="USUARIO" name="usernameReset" title="No minimo 3, no máximo 10 letras MAIÚSCULAS" id="usernameReset" pattern="[A-Z]{3,}" maxlength="10"></input>
<br>
<input type="date" required name="birthdayReset" id="birthdayReset" min="1915-01-01" max="2006-01-01">
<div class="g-recaptcha" data-sitekey="6LeSEBwTAAAAAOD2kcTBvz8401DSvI5RTbtG79xK"></div>
<input onClick="knautiluzPassMathFramework();" type="submit" name="botaoy" id="gologin" value="⟳"/>
<br>
</form>
</body>
<footer></footer>
</html>
<?php
if(isset($_POST["botaoy"])) {
if (isset($_POST['g-recaptcha-response'])) {
$captcha_data = $_POST['g-recaptcha-response'];
}
if (!$captcha_data) {
echo "<span id=\"captchaError\">Complete o reCAPTCHA</span>";
return true;
}
$resposta = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=meucodigo&response=".$captcha_data."&remoteip=".$_SERVER['REMOTE_ADDR']);
if ($resposta.success) {
require ("includes/connection.php");
require ("includes/start-session.php");
$email = mysqli_real_escape_string($mysqli, $_POST["emailReset"]);
$username = mysqli_real_escape_string($mysqli, $_POST["usernameReset"]);
$birthday = mysqli_real_escape_string($mysqli, $_POST["birthdayReset"]);
$password = mysqli_real_escape_string($mysqli, $_POST["password"]);
$sql = $mysqli->query("SELECT * FROM data WHERE email='$email'");
$get = $sql->fetch_array();
$db_email = $get['email'];
$db_username = $get['username'];
$db_birthday = $get['birthday'];
if ($email != $db_email || $username != $db_username || $birthday != $db_birthday) {
echo "<span id=\"msgOne\">Dados incorretos.</span>";
return true;
} else {
$sql = $mysqli->query("UPDATE data SET password = '".md5($password)."' WHERE email = '$email'");
$sendEmail = $mysqli->query("SELECT * FROM data WHERE email='$emailReset'");
$row = $sendEmail->num_rows;
$get = $sendEmail->fetch_array();
$assunto = "Sua senha foi alterada!";
$emailz = $_POST["emailReset"];
$mensagem = 'Olá! alteramos sua senha temporariamente! Mude ela através do painel de usuário.<br>Sua nova senha é: '.$password.'';
$enviar = "$mensagem";
require ("includes/PHPMailerAutoload.php");
define('GUSER', '[email protected]');
define('GPWD', 'senha@exemplo');
function smtpmailer($para, $de, $de_nome, $assunto, $corpo) {
global $error;
$mail = new PHPMailer();
$mail->CharSet = 'UTF-8';
$mail->IsSMTP();
$mail->SMTPDebug =0;
$mail->SMTPAuth = true;
$mail->SMTPSecure = 'tls';
$mail->Host = 'meuhost';
$mail->Port = 0;
$mail->Username = GUSER;
$mail->Password = GPWD;
$mail->SetFrom($de, $de_nome);
$mail->Subject = $assunto;
$mail->Body = $corpo;
$mail->IsHTML(true);
$mail->AddAddress($para);
if(!$mail->Send()) {
$error = 'Mail error: '.$mail->ErrorInfo;
return false;
} else {
$error = 'Mensagem enviada!';
return true;
}
}
if (smtpmailer($emailz, '[email protected]', 'Knautiluz', $assunto, $enviar)) {
echo "<span id=\"msgTwo\">Senha alterada! Verifique seu e-mail com a nova senha.</span>";
return true;
} else {
if (!empty($error)) echo $error;}}}
}
?>
My question is: the new password will be generated through a javascript when clicking the submit button and it will be stored in:
<input type="hidden" name="password" id="password"
value="none"></input>
In place of "none" will be entered a password with lowercase letters, uppercase and numbers. This password will be caught in PHP $password = mysqli_real_escape_string($mysqli, $_POST["password"]);
And then it is sent to the user's email. Basic Print System:
The user who wants to reset the password will have to enter the email username and date of birth. I still figured that a malicious user with this information could use an alert or another command to get the password generated in the password input field. It's possible? Is there a better way than the input for me to store the generated password through js?