Page 1 of 1

login rework

Posted: Sat Mar 27, 2010 12:46 pm
by russia5
I have a problem that I am not able to solve. I would kindly thank anyone who might help me with the solution. I have been given a site to work on, in which the owner does not know the superadmin password. I have looked in the database, as well as in the coding, and find that it is hashed with MD5. He is trying to find his paperwork in which he has it written down so I can't delete the userid and password from the database. Is there a way to reset it manually from the code?
Below is the code for the login.

Code: Select all


if ($_GET) {
         $url = $_GET["url"];
 }
 if ($_POST) {
     $user_name = $_POST["user_name"];
     $password = $_POST["password"];
    $password = md5($password);
     $url = $_POST["url"];
     $result = mysql_query("SELECT * FROM users WHERE user_name=\"" . $user_name . "\"");
     if (mysql_num_rows($result) > 0) {
    while ($myrow = mysql_fetch_array($result)) 
    			{
      if ($myrow["password"] == $password) 
     			{
      	$_SESSION['user_name'] = $user_name;
      	$_SESSION['admin_role'] = $myrow["role"];
    	$_SESSION['agency'] = $myrow["agency_name"];
    	/*echo "<script type=\"text/javascript\" language=\"JavaScript\">location.href = '" . $url . "';</script>";*/
       	header("Location: admin_area.php");
        	exit;
       			} 
       		else
       			{
       		$msg = "<font color=red>Login failed. Wrong password entered.</font>";
           	}
         			}
              } 
    		else 
    		{
         $msg = "<font color=red>Login failed. User does not exist.</font>";
      	    }
         mysql_free_result($result);
  }

Here is the change password script

Code: Select all


<?php
session_start();
if (!isset($_SESSION['user_name']))
{
	header("Location: Login.php?url=" . $_SERVER['PHP_SELF']);
}


require_once("../../includes/ru_config.php");
require_once("../../includes/ru_connection.php");
require_once("../../includes/ru_data.php");
require_once("../../includes/ru_utils.php");
require_once("../../libs/ru_smarty.php");

$errorMsg;
?>


<?php
if ($_POST)
{
	//Check that the friend's name, site URL and order are provided
	if ($_POST['password'] == $_POST['re_password'])
	{
		$updateQuery = "UPDATE Users SET password ='" . $_POST['password'] . "' WHERE user_name='" . $_SESSION['user_name'] . "'";

		if ($result = mysql_query($updateQuery))
		{
			// It worked, give confirmation
			$errorMsg= '<i><b>Password changed successfully.</b></i><br>';
		}
		else
		{
			// It hasn't worked so stop. Better error handling code would be good here!
			$errorMsg = "<font color=red><i><b>Sorry, there was an error changing your password.<br><br></b></i></font>";
		}
	}
	else
	{
		$errorMsg = "<font color=red><i><b>Sorry, there was an error changing your password. Both the entered passwords did not match!</b></i></font><br><br>";
	}
}

$smarty = new RuSmarty;

$smarty->assign("errorMsg",$errorMsg);
$smarty->assign("action",$_SERVER['PHP_SELF']);
$smarty->display('admin/change_password.tpl');
?>



Re: login rework

Posted: Sat Mar 27, 2010 1:01 pm
by Alkis
What comes quickly into my mind (if the password is only md5):

trying to set a new password:

lets say the new password is: password1234

Code: Select all

//do an md5 on it:
$encPassword = md5('password1234');
echo $encPassword;
Then copy the output of the above echo, and paste it direclty into the database. That way you have the encrypted password in your database, and from the page you can login by giving: password1234.

Re: login rework

Posted: Sat Mar 27, 2010 1:01 pm
by requinix
Pick a password, then

Code: Select all

UPDATE `users` SET `password` = MD5("password here") WHERE `user_name` = "admin, or whatever the username is";
You can run that from a MySQL console, phpMyAdmin, or from a temporary PHP script.

Re: login rework

Posted: Sat Mar 27, 2010 1:03 pm
by Alkis
Maybe tasairis option is faster, choose what fits you.

Re: login rework

Posted: Sat Mar 27, 2010 4:11 pm
by russia5
Thank You very much!! Worked like a charm!! You have now been elevated to my favorite forum status!!! :D