login rework
Posted: Sat Mar 27, 2010 12:46 pm
I have a problem that I am not able to solve. I would kindly thank anyone who might help me with the solution. I have been given a site to work on, in which the owner does not know the superadmin password. I have looked in the database, as well as in the coding, and find that it is hashed with MD5. He is trying to find his paperwork in which he has it written down so I can't delete the userid and password from the database. Is there a way to reset it manually from the code?
Below is the code for the login.
Here is the change password script
Below is the code for the login.
Code: Select all
if ($_GET) {
$url = $_GET["url"];
}
if ($_POST) {
$user_name = $_POST["user_name"];
$password = $_POST["password"];
$password = md5($password);
$url = $_POST["url"];
$result = mysql_query("SELECT * FROM users WHERE user_name=\"" . $user_name . "\"");
if (mysql_num_rows($result) > 0) {
while ($myrow = mysql_fetch_array($result))
{
if ($myrow["password"] == $password)
{
$_SESSION['user_name'] = $user_name;
$_SESSION['admin_role'] = $myrow["role"];
$_SESSION['agency'] = $myrow["agency_name"];
/*echo "<script type=\"text/javascript\" language=\"JavaScript\">location.href = '" . $url . "';</script>";*/
header("Location: admin_area.php");
exit;
}
else
{
$msg = "<font color=red>Login failed. Wrong password entered.</font>";
}
}
}
else
{
$msg = "<font color=red>Login failed. User does not exist.</font>";
}
mysql_free_result($result);
}
Code: Select all
<?php
session_start();
if (!isset($_SESSION['user_name']))
{
header("Location: Login.php?url=" . $_SERVER['PHP_SELF']);
}
require_once("../../includes/ru_config.php");
require_once("../../includes/ru_connection.php");
require_once("../../includes/ru_data.php");
require_once("../../includes/ru_utils.php");
require_once("../../libs/ru_smarty.php");
$errorMsg;
?>
<?php
if ($_POST)
{
//Check that the friend's name, site URL and order are provided
if ($_POST['password'] == $_POST['re_password'])
{
$updateQuery = "UPDATE Users SET password ='" . $_POST['password'] . "' WHERE user_name='" . $_SESSION['user_name'] . "'";
if ($result = mysql_query($updateQuery))
{
// It worked, give confirmation
$errorMsg= '<i><b>Password changed successfully.</b></i><br>';
}
else
{
// It hasn't worked so stop. Better error handling code would be good here!
$errorMsg = "<font color=red><i><b>Sorry, there was an error changing your password.<br><br></b></i></font>";
}
}
else
{
$errorMsg = "<font color=red><i><b>Sorry, there was an error changing your password. Both the entered passwords did not match!</b></i></font><br><br>";
}
}
$smarty = new RuSmarty;
$smarty->assign("errorMsg",$errorMsg);
$smarty->assign("action",$_SERVER['PHP_SELF']);
$smarty->display('admin/change_password.tpl');
?>