lost password script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

lost password script

Post by sirTemplar »

hi. i have a strange problem with my lost password script. it is suppose to ask the user to input their email add, then the script randomly produces a new password and send them an email. it seems to work fine because when i input the email, i receive the note and the email with the new password. looking at the database via phpMyAdmin i noticed that the password was actually changed, but when i try to login with the new password, i could not. what could be worng?

Code: Select all

<? 

 


//check if username and email exists 

$email = $HTTP_POST_VARS['email']; 
   
   $sql_check = mysql_query("SELECT username FROM users 
   WHERE email='$email'"); 
   $sql_check_num = mysql_num_rows($sql_check); 
   if($sql_check_num == '0'){ 
      echo "No records found matching your email address. Go back and retry.<br/>"; 
      exit(); 
   } 

?>
<?  
 mt_srand((double)microtime() * 1000000); 
$charlist = "qwertyuiopasdfghjklzxcvbnm1234567890"; 
$newpass = ''; 
$max = strlen($charlist) - 1; 
for ($i = 0; $i < 10; $i++) { 
    $randnum = mt_rand(0, $max); 
    $newpass .= $charlist{$randnum}; 
} 
$newpass2= md5($newpass); 

$sql = "UPDATE users SET 
    password='$newpass2' 
    WHERE email='$email'"; 
if ($result = mysql_query($sql)) { 

$femail= 'me <me@mydomain.org>'; 
$temail= $email; 
$message="Hi there, as requested please find your new password below:\n\nPassword: $newpass\n\nPlease login and change your pass immediately"; 
if(mail($temail,":: Password Reminder ::",$message,"From: $femail\n")) { 
echo "We have sent an email including your new pass to $email"; 
} else { 
echo "Sorry, there was a problem sending your reminder. Please try again letter or contact an admin."; 
} 
}

?>
dreamline
Forum Contributor
Posts: 158
Joined: Fri May 28, 2004 2:37 am

Post by dreamline »

As you said the password is sent and stored in the DB, so when logging in: do you encrypt the inputted password with MD5 too and check the encrypted password with the database?
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Post by sirTemplar »

i think i do. because those with username and password after they register can login without problems.
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Post by sirTemplar »

i have resolved the problem. the script is okay. i just missed the something. thnx for the time anyway.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

sirTemplar wrote:i have resolved the problem. the script is okay. i just missed the something
care to tell us :?:
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

I'm sick of sites that MD5 passwords and don't give me my password back if I lose it. I've switched from MD5 to proper AES encryption specifically for this reason.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

it's nice to hear that, heh heh :twisted:

*thinks: maybe I'll try hacking onion :twisted: :twisted: *
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Post by sirTemplar »

i was trying to login at a wrong URL! so stupid of me, :( :oops:
dreamline
Forum Contributor
Posts: 158
Joined: Fri May 28, 2004 2:37 am

Post by dreamline »

LOL, it can be as simple as that... :)

Onion2k: Well if i'm not mistaken depending on the site you wouldn't want to have your password spread if that particular site is haxx0red right? As for md5: I know and read it's breakable, but i can imagine that if you are on pay sites you would want some form of encryption and best not to be able to decrypt it.. That's why i use MD5, however like i said it can be broken (or so i've read). :)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

SHA256 hashing (provided in class form by PHPDev's very lovely feyd) ftw!
Post Reply