om my website:
Poetry.mine.nu, the way I go about passwords is more complex than yours, but simpler in the same way...here:
I think, in your case, it is bad judgement NOT to hash the passwords...not only would people not trust you if they found out, but its just not good backend security in general. I suggest that you 'md5' (a form of hashing) your passwords. So when they sign-up, it does:
Then, when they go to login, it hashes what they enter and compares that to what is in the database.....(say that the name of the username input box on the login form is "username" and the password box name is "password"):
Code: Select all
$result = mysql_query("select * from їi]DBnameї/i] where їi]usercolї/i]='$username'");
$row = mysql_fetch_assoc($result);
if($rowї"їi]passwordї/i]"]==md5($password))
{
$loggedin = $username;
session_register("loggedin")
}
Then, in the rest of the site, you can check if they're logged in by:
Code: Select all
if(session_is_registered("loggedin")) {}
So ANYWAY, about your 'forgot password' page. What you have them do is send you an e-mail
FROM the e-mail address that they signed up with (so you know that they truely are who they say they are), then just hash up another temporary password and stick it in the DB under their name.... You can have a little admin page where u can enter something, and it'll return the hash, then just c/p and insert it into the DB under their name. So then u just put in like 'bob', put thaty in the DB for them, and e-mail them back telling them that their password has been changed to 'bob'. They can then proceed to change it at an 'Account' page...supposing you have one. If you don't have an account page...i suggest you make on...if not, just have them e-mail you what they WANT to be their password...then u hash it up and stick it in the DB. (If you thing that "ooo, but then i'd know their password"....well, you could have looked anytime u want with ur origional/non-hash scheme.)
I really hope that all made sense, and it's a very secure and eficiant way of doing things...feel free to c/p the code.....
later on, -Brian