Page 1 of 1

lost password script

Posted: Fri Oct 28, 2005 11:05 pm
by sirTemplar
hi. i have a strange problem with my lost password script. it is suppose to ask the user to input their email add, then the script randomly produces a new password and send them an email. it seems to work fine because when i input the email, i receive the note and the email with the new password. looking at the database via phpMyAdmin i noticed that the password was actually changed, but when i try to login with the new password, i could not. what could be worng?

Code: Select all

<? 

 


//check if username and email exists 

$email = $HTTP_POST_VARS['email']; 
   
   $sql_check = mysql_query("SELECT username FROM users 
   WHERE email='$email'"); 
   $sql_check_num = mysql_num_rows($sql_check); 
   if($sql_check_num == '0'){ 
      echo "No records found matching your email address. Go back and retry.<br/>"; 
      exit(); 
   } 

?>
<?  
 mt_srand((double)microtime() * 1000000); 
$charlist = "qwertyuiopasdfghjklzxcvbnm1234567890"; 
$newpass = ''; 
$max = strlen($charlist) - 1; 
for ($i = 0; $i < 10; $i++) { 
    $randnum = mt_rand(0, $max); 
    $newpass .= $charlist{$randnum}; 
} 
$newpass2= md5($newpass); 

$sql = "UPDATE users SET 
    password='$newpass2' 
    WHERE email='$email'"; 
if ($result = mysql_query($sql)) { 

$femail= 'me <me@mydomain.org>'; 
$temail= $email; 
$message="Hi there, as requested please find your new password below:\n\nPassword: $newpass\n\nPlease login and change your pass immediately"; 
if(mail($temail,":: Password Reminder ::",$message,"From: $femail\n")) { 
echo "We have sent an email including your new pass to $email"; 
} else { 
echo "Sorry, there was a problem sending your reminder. Please try again letter or contact an admin."; 
} 
}

?>

Posted: Fri Oct 28, 2005 11:22 pm
by dreamline
As you said the password is sent and stored in the DB, so when logging in: do you encrypt the inputted password with MD5 too and check the encrypted password with the database?

Posted: Sat Oct 29, 2005 2:32 am
by sirTemplar
i think i do. because those with username and password after they register can login without problems.

Posted: Sat Oct 29, 2005 2:55 am
by sirTemplar
i have resolved the problem. the script is okay. i just missed the something. thnx for the time anyway.

Posted: Sat Oct 29, 2005 3:44 am
by n00b Saibot
sirTemplar wrote:i have resolved the problem. the script is okay. i just missed the something
care to tell us :?:

Posted: Sat Oct 29, 2005 3:49 am
by onion2k
I'm sick of sites that MD5 passwords and don't give me my password back if I lose it. I've switched from MD5 to proper AES encryption specifically for this reason.

Posted: Sat Oct 29, 2005 4:07 am
by n00b Saibot
it's nice to hear that, heh heh :twisted:

*thinks: maybe I'll try hacking onion :twisted: :twisted: *

Posted: Sat Oct 29, 2005 4:31 am
by sirTemplar
i was trying to login at a wrong URL! so stupid of me, :( :oops:

Posted: Sat Oct 29, 2005 11:41 pm
by dreamline
LOL, it can be as simple as that... :)

Onion2k: Well if i'm not mistaken depending on the site you wouldn't want to have your password spread if that particular site is haxx0red right? As for md5: I know and read it's breakable, but i can imagine that if you are on pay sites you would want some form of encryption and best not to be able to decrypt it.. That's why i use MD5, however like i said it can be broken (or so i've read). :)

Posted: Sun Oct 30, 2005 12:16 am
by Jenk
SHA256 hashing (provided in class form by PHPDev's very lovely feyd) ftw!