Undefined variable: adminEmail in line 50 activation email not getting sent!?

[chrismcf]

Ok so I am practically brand new to php and I have really been working at this hard. I have gotten all my issues worked out and this appears to be the last one. My admin email doesn’t seem to be getting set.
When I test it out from the website through registering a test user the email with the activation link isn’t getting sent out. And I cant figure out why other than that this is causing it.
I could sure use some help. Pretty please and thank you so so much!
I have been beating my head against this all day and I just honestly don’t know what to do to fix it. Im sure its something simple but here I am…
Undefined variable: adminEmail in /home/***/***/forgot_pass.php on line 50
this the code for my forgot password page below is the code from the connect_to_mysql.php code
$outputForUser = "";
if ( isset($_POST['email']) && $_POST['email'] != "" )
{
$email = $_POST['email'];
$email = strip_tags($email);
$email= str_ireplace("`", "", $email);
$email = mysql_real_escape_string($email);
$sql = mysql_query("SELECT * FROM myMembers WHERE email='$email' AND email_activated='1'");
$emailcheck = mysql_num_rows($sql);
if ($emailcheck == 0){
$outputForUser = '<font color="#FF0000">There is no account with that info<br />
in our records, please try again.';
} else {
$emailcut = substr($email, 0, 4); // Takes first four characters from the user email address
$randNum = rand();
$tempPass = "$emailcut$randNum";
$hashTempPass = md5($tempPass);
@mysql_query("UPDATE myMembers SET password='$hashTempPass' WHERE email='$email'") or die("cannot set your new password");
[COLOR="#FFFF00"]Line 50 $headers = "From: $adminEmail\n"; // $adminEmail is established in [ scripts/connect_to_mysql.php ][/COLOR]$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1 \n";
$subject ="Login Password Generated";
$body="<div align=center><br>----------------------------- New Login Password --------------------------------<br><br><br>
Your New Password for our site is: <font color=\"#006600\"><u>$tempPass</u></font><br><br />
</div>";
if(mail($email,$subject,$body,$headers)) {
$outputForUser = "<font color=\"#006600\"><strong>Your New Login password has been emailed to you.</strong></font>";
} else {
$outputForUser = '<font color="#FF0000">Password Not Sent.<br /><br />
Please Contact Us...</font>';
}
}
} else {
$outputForUser = 'Enter your email address into the field below.';
}
?>
Here is the the code from my connect_to_mysql.php
<?php
mysql_connect("localhost","***","***") or die (mysql_error());
mysql_select_db("***") or die (mysql_error());?>

[essellar]

This is not a support issue; it belongs in the "Scripts, 3rd Party Apps and Programming" forum. This forum is for server and account problems.

When you do post for help with code, please use the appropriate BBcode tags, either PHP, HTML or CODE -- that retains your formatting and will give syntax highlighting for PHP and HTML.

It's not enough to have code available somewhere on the server, you need to run it somehow. In this case, that would mean using an include() or require() statement to include your configuration script's values in the code you are trying to run.

And keep in mind that this is a volunteer user-to-user forum for the most part; you aren't entitled to help with programming issues (although the chances are pretty good that you'll get help if you post in the correct forum -- there are a few users who know what they're doing and keep an eye on the forum I pointed to, but aren't server admins, so they don't necessarily hang out in this forum).

[misson]

The Scripts, 3rd Party Apps, and Programming forum is more appropriate for coding issues. The Free Hosting forum is more for administrative issues.

Please use [php], [html] or [code] tags (as appropriate) to separate and format code.

If PHP says the variable is undefined, it's undefined. Sample code should be presented as a minimal test case–complete, concise and representative. Otherwise, it's impossible to say with any certainty what's wrong, as the issue may lie in code that isn't posted.

The mysql extension is outdated and on its way to deprecation. Instead, use PDO, which has many useful improvements, such as prepared statements and support for the Traversable interface, so you can loop over results with foreach.

MD5 is considered broken by security professionals. No less than Bruce Schneier wrote back in 2008:

But -- come on, people -- no one should be using MD5 anymore.

Use a newer hashing function, such as whirlpool or something from the SHA2 family (SHA256, SHA512) or (better still) Blowfish (using crypt()). Any of these hashing functions can in turn be the basis of a tunable key derivation function (see also essellar and Callum's discussion on "Create User Accounts"). There's currently a proposal to add PBKDF2 to PHP's hash extension, which is built as part of the core. It won't be available until PHP 5.5 at the earliest (barring custom PHP builds), but if you write your own PBKDF2 function, give it the same API as in the proposal so yours can be replaced with the standard. You can even use function_exists to conditionally define your function, so that yours will be used only if a native version doesn't exist. Be aware that though the proposal has reached the vote-phase, there may yet be changes to the API.

Your password scheme is also vulnerable to rainbow tables. Add salt to fix this. Give each user a unique salt (a "nonce") and store that in a column in table `users`.

To update your code without impacting existing users:

1. Add a new column to your users table indicating which hash function was used. It could be a BOOLEAN value indicating that the p/w needs updating, or a string naming the hash function:
   1. `md5` BOOLEAN NOT NULL DEFAULT TRUE,
   2. `hash` VARCHAR(16) NOT NULL DEFAULT 'md5',
   
   The latter option allows you to easily support whatever hashing functions are available on the host.
2. Register new users using the newer hashing function.
3. When a user logs in, check whether their password is hashed using MD5 or not. If it is, expire their password (this is a good chance to have users enter new passwords). Alternatively, if the validation succeeds, re-hash the password and update the database.
4. If using the 1st column option, drop the column when there are no more MD5 hashed passwords (SELECT COUNT(*) FROM users WHERE `md5`=TRUE is 0)

Note that or die(mysql_error()) should never appear in production code, as die breaks HTML output and database error messages should never be revealed to non-admin users as it discloses too much information. A better approach would be to properly implement error handling.

<br/> (as it's being used), <font> and the align attribute are presentational HTML. Moreover, <font> is obsolete and align is completely absent in HTML5. Replace them with semantic HTML and use CSS for styling in the web page. HTML e-mails are a different matter, as mail clients lag behind in HTML support.

Instead of overwriting the user's password, it would be more usable to have a separate table of password reset requests with the necessary info (such as the temporary password and submit date & time). That way, you can expire password reset requests and easily force the user to enter a new password if you don't have a password expiration feature. Also, it sometimes happens that a user remembers her password shortly after submitting the request and doesn't need (or want) to use the temporary password.

rand() is not suitable for security purposes, such as password generation. For that, you need a cryptographically secure random number generator, which (these days) means reading from a device such as /dev/urandom. Since PRNGs are deterministic, they aren't cryptographically secure. rand() is particularly bad.

[SierraAR]

Moved to the proper section