want to update password with url

[eluser]imrul[/eluser]
i wrote a code for forgotten password. my everything is okay. i send a email to the user with a url. but i can't edit the password with this url. please see my code and help me by giving me a solution.

suppose i send a url like http://localhost/ci/member/update/9122653566

Code:

public function update($pin)
  {
    $this->load->helper(array('form', 'url'));
    $this->load->library('form_validation');
  
     $this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]');
    $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
  
   if ($this->form_validation->run() == FALSE)
     {
     $this->load->view('form');
   }
   else
    {
  $data = array(
               'password' => $this->input->post('password'),
            );
  $this->db->where('pin', $pin);

  $this->db->update('users', $data);
    
     echo "You do it successfully";
   }


}

so what will be my controller?

[eluser]TheFuzzy0ne[/eluser]
I see no reason why that shouldn't work, although I'm glad I'm not a user on your site, because I would be pretty pissed about you storing my password in plain text.

You could do with making your URLs a bit more secure, also, and the deleing the pin after the password has been updated. Otherwise you're going to have a large security hole in your app (even worse than storing passwords as plain text), where people could just set up scripts to run through a long sequence of pin numbers, which will allow them to change passwords to accounts that don't belong to them.

We can see what you're expecting to happen, but you haven't explained what is actually happening.

[eluser]imrul[/eluser]
i know everything about the security hole. i know i need to delete the pin code.

i am now practicing. that's why i am not using filters. so don't need to talk about this.

here is my code and i am now attaching a image. so can you help me where is my mistake?

Code:

public function update($pin)
  {
    $this->load->helper(array('form', 'url'));
    $this->load->library('form_validation');
  
     $this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]');
    $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
  
   if ($this->form_validation->run() == FALSE)
     {
     $this->load->view('form');
   }
   else
    {
  $data = array(
               'password' => $this->input->post('password'),
            );
  $this->db->where('pin', $pin);

  $this->db->update('users', $data);
    
     echo "You do it successfully";
   }


}  

}

[eluser]imrul[/eluser]
[quote author="imrul" date="1364569665"]i know everything about the security hole. i know i need to delete the pin code.

i am now practicing. that's why i am not using filters. so don't need to talk about this.

here is my code and i am now attaching a image. so can you help me where is my mistake?

Code:

public function update($pin)
  {
    $this->load->helper(array('form', 'url'));
    $this->load->library('form_validation');
  
     $this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]');
    $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
  
   if ($this->form_validation->run() == FALSE)
     {
     $this->load->view('form');
   }
   else
    {
  $data = array(
               'password' => $this->input->post('password'),
            );
  $this->db->where('pin', $pin);

  $this->db->update('users', $data);
    
     echo "You do it successfully";
   }


}  

}

[/quote]

[eluser]TheFuzzy0ne[/eluser]
Now that's more like it! You didn't mention those errors previously, which is what I was trying to get you to explain. Now I see more clearly, what's happening. Let's fix those errors first, and then take it from there.

Since it's a public method, which is accessible by the outside world, you should specify a default value for every argument, just in case one isn't passed view the URL.

Code:

public function update($pin=FALSE)

After that, you'll need to check that an entry for that pin number exists in the database. If they don't you need to tell the user that the code is invalid, or carry out some other action.

Code:

if ($this->db->where('pin', $pin)->count_all_results('users') == 0)
{
    show_error('Oh noes!);
}

then once validation has passed:

Code:

$this->db->where('pin', $pin)->update('users', array('password' => sha1($this->input->post('password')));

-- BEGIN RANT --

I know you said this a practice, but it makes sense to do it properly. Code defensively. If you don't, you're going to end up spending a more time debugging your app chasing problems like this than you spend "practicing". Even if you didn't use a salt in your password hash, it would have taken you less time for you to type:

Code:

sha1($this->input->post('password'));

than it did for me to type my reply pointing out those security holes (which you already knew about!). At the very least, you could have mentioned that security wasn't an issue. Posting buggy code and asking for us to find the bugs, and then after someone has spent the time to reply, you say "oh, not those bugs, I already know about those.", is not helpful to anyone.

-- END RANT --

Hope this helps.

[eluser]imrul[/eluser]
if you are talking about security for everyone, it's okay. i have nothing to say.

now see my code, i use your formula. it show me success message but it does not update my database.

Code:

public function update($pin=FALSE)
  {
    $this->load->helper(array('form', 'url'));
    $this->load->library('form_validation');
  
     $this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]');
    $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required');
  
   if ($this->form_validation->run() == FALSE)
     {
     $this->load->view('form');
   }
   else
    {
  
$this->db->where('pin', $pin);
$query=$this->db->get('users');
  
  if ($query->num_rows() != 0)
{
    show_error('Sorry');
}  

    $this->db->update('users', array('password' => md5($this->input->post('password'))),array('pin'=>$pin));  
    
     echo "You do it successfully";
  
}

}

i use

Code:

if ($query->num_rows() == 0)

but it show me error message.

[eluser]TheFuzzy0ne[/eluser]

Code:

public function update($pin = FALSE)
{
    // First check that we have a result for the PIN provided.
    if ( ! $pin OR $this->db->where('pin', $pin)->count_all_results('users') == 0)
    {
        show_error('Invalid PIN!');
    }
    
    // Load helpers, libraries.
    $this->load->helper(array('form', 'url'));
    $this->load->library('form_validation');

    // Set the validation rules.
    $this->form_validation->set_rules('password', 'Password', 'required');
    $this->form_validation->set_rules('passconf', 'Password Confirmation', 'required|matches[password]');

    $data = array();
    
    // Was validation successfull?
    if ($this->form_validation->run())
    {
        // Update the password, and reset the PIN, so it can't be used again.
        $this->db->where('pin', $pin)
                 ->update('users', array(
                    'password' => md5($this->input->post('password')),
                    'pin' => '',
                ));
        
        // Normally I redirect() to somewhere else here, to prevent resubmission when the back button is clicked.
        $data['message'] = 'Woohoo!!!';
    }
    
    // The default action when the page is loaded.
    $this->load->view('form', $data); // I would suggest naming this more sensibly. If you ever have more than one form on your site, you're going to run into problems.
}

In your view, you'll need something to display your message:

Code:

&lt;?php if (isset($message)): ?&gt;<div>
    &lt;?php echo $message; ?&gt;

</div>&lt;?php endif; ?&gt;

[eluser]imrul[/eluser]
please see the image. it's the result of your code
i think you should check your code in your pc.

[eluser]TheFuzzy0ne[/eluser]
Whoops! I've modified it, so that should now be fixed. Please try it again.