I'm making a "forgot password" page on my log in form. The forgot form asks for an email address and then will email the username/password to that address
but as I'm coding I realized... in the profiles I display their email addy so anyone could just type in someone else's email address in.
Although the real user is the only one who gets the email, is that the smartest way about going about things?
FORGOT PASSWORD Dilema
Moderator: General Moderators
om my website: Poetry.mine.nu, the way I go about passwords is more complex than yours, but simpler in the same way...here:
I think, in your case, it is bad judgement NOT to hash the passwords...not only would people not trust you if they found out, but its just not good backend security in general. I suggest that you 'md5' (a form of hashing) your passwords. So when they sign-up, it does:
Then, when they go to login, it hashes what they enter and compares that to what is in the database.....(say that the name of the username input box on the login form is "username" and the password box name is "password"):
Then, in the rest of the site, you can check if they're logged in by:
So ANYWAY, about your 'forgot password' page. What you have them do is send you an e-mail FROM the e-mail address that they signed up with (so you know that they truely are who they say they are), then just hash up another temporary password and stick it in the DB under their name.... You can have a little admin page where u can enter something, and it'll return the hash, then just c/p and insert it into the DB under their name. So then u just put in like 'bob', put thaty in the DB for them, and e-mail them back telling them that their password has been changed to 'bob'. They can then proceed to change it at an 'Account' page...supposing you have one. If you don't have an account page...i suggest you make on...if not, just have them e-mail you what they WANT to be their password...then u hash it up and stick it in the DB. (If you thing that "ooo, but then i'd know their password"....well, you could have looked anytime u want with ur origional/non-hash scheme.)
I really hope that all made sense, and it's a very secure and eficiant way of doing things...feel free to c/p the code.....
later on, -Brian
I think, in your case, it is bad judgement NOT to hash the passwords...not only would people not trust you if they found out, but its just not good backend security in general. I suggest that you 'md5' (a form of hashing) your passwords. So when they sign-up, it does:
Code: Select all
md5(їi]$passwordї/i])Code: Select all
$result = mysql_query("select * from їi]DBnameї/i] where їi]usercolї/i]='$username'");
$row = mysql_fetch_assoc($result);
if($rowї"їi]passwordї/i]"]==md5($password))
{
$loggedin = $username;
session_register("loggedin")
}Code: Select all
if(session_is_registered("loggedin")) {}I really hope that all made sense, and it's a very secure and eficiant way of doing things...feel free to c/p the code.....
later on, -Brian
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact: