PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
hi. i have a strange problem with my lost password script. it is suppose to ask the user to input their email add, then the script randomly produces a new password and send them an email. it seems to work fine because when i input the email, i receive the note and the email with the new password. looking at the database via phpMyAdmin i noticed that the password was actually changed, but when i try to login with the new password, i could not. what could be worng?
<?
//check if username and email exists
$email = $HTTP_POST_VARS['email'];
$sql_check = mysql_query("SELECT username FROM users
WHERE email='$email'");
$sql_check_num = mysql_num_rows($sql_check);
if($sql_check_num == '0'){
echo "No records found matching your email address. Go back and retry.<br/>";
exit();
}
?>
<?
mt_srand((double)microtime() * 1000000);
$charlist = "qwertyuiopasdfghjklzxcvbnm1234567890";
$newpass = '';
$max = strlen($charlist) - 1;
for ($i = 0; $i < 10; $i++) {
$randnum = mt_rand(0, $max);
$newpass .= $charlist{$randnum};
}
$newpass2= md5($newpass);
$sql = "UPDATE users SET
password='$newpass2'
WHERE email='$email'";
if ($result = mysql_query($sql)) {
$femail= 'me <me@mydomain.org>';
$temail= $email;
$message="Hi there, as requested please find your new password below:\n\nPassword: $newpass\n\nPlease login and change your pass immediately";
if(mail($temail,":: Password Reminder ::",$message,"From: $femail\n")) {
echo "We have sent an email including your new pass to $email";
} else {
echo "Sorry, there was a problem sending your reminder. Please try again letter or contact an admin.";
}
}
?>
As you said the password is sent and stored in the DB, so when logging in: do you encrypt the inputted password with MD5 too and check the encrypted password with the database?
I'm sick of sites that MD5 passwords and don't give me my password back if I lose it. I've switched from MD5 to proper AES encryption specifically for this reason.
Onion2k: Well if i'm not mistaken depending on the site you wouldn't want to have your password spread if that particular site is haxx0red right? As for md5: I know and read it's breakable, but i can imagine that if you are on pay sites you would want some form of encryption and best not to be able to decrypt it.. That's why i use MD5, however like i said it can be broken (or so i've read).