Page 1 of 1

change password

Posted: Sun Jan 01, 2006 11:23 am
by spamyboy
Ok, 1st of all. Happy christmas & NewYears !
And here is what i need :)
I creat my own member script (reg/login/member area)
and now only one thing left: I need to creat php script which could allow users change their password. How? Could anyone wrute script ?

Posted: Sun Jan 01, 2006 11:38 am
by John Cartwright
Could anyone wrute script ?
Nope, but I can certainly give you a push into the right direction. Just so we don't waste time, why don't you start by posting your db structure?

Posted: Sun Jan 01, 2006 11:53 am
by spamyboy
CREATE TABLE users (
userid int(25) NOT NULL auto_increment,
first_name varchar(25) NOT NULL default '',
last_name varchar(25) NOT NULL default '',
email_address varchar(25) NOT NULL default '',
username varchar(25) NOT NULL default '',
password varchar(255) NOT NULL default '',
info text NOT NULL,
user_level enum('0','1','2','3') NOT NULL default '0',
signup_date datetime NOT NULL default '0000-00-00 00:00:00',
last_login datetime NOT NULL default '0000-00-00 00:00:00',
activated enum('0','1') NOT NULL default '0',
PRIMARY KEY (userid)
)

Posted: Sun Jan 01, 2006 12:02 pm
by John Cartwright
Some steps I would take when changing a users password, is force them to re-enter their current password. Just incase some user gained access to the users account, he would still be unable to lock the user out from his own account unless the malicious user actually knew the plaintext password.

So.. have 3 fields in your form

1) Old Password
2) New Password
3) Repeat New Password

I'm not sure how you are authenticating your users, but I'll assume its done with sessions, since thats the most common method. I'll assume you store the users id from the db in the session to track the user..

So what you want to do when the user submits this form, you have have 2 checks, if the old password the current set password? You'll have to re-query the database and check

2) Are the New Password and Repeat New Password identical?

If those two checks pass, then you'll simply run a update query to modify the password

Code: Select all

$result = mysql_query('UPDATE `users` SET `password` = \''.md5($_POST['password']).'\' WHERE `userid` = \''. $_SESSION['userid'].'\' LIMIT 1');
Notice I used an md5 to hash the password, change that to whatever hasing or encryption you've used in your current setup, if any

Posted: Sun Jan 01, 2006 12:09 pm
by spamyboy
Dam... It's true i used sessions and md5, but it's still to hard for me ;/
I dont know hot to intergrate your wrriten part script...
$result = mysql_query('UPDATE `users` SET `password` = \''.md5($_POST['password']).'\' WHERE `userid` = \''. $_SESSION['userid'].'\' LIMIT 1');

Posted: Sun Jan 01, 2006 6:34 pm
by mickd
well, basically all you need is one page with the html form in it with 3 inputs, old password, new password and repeat new password.

P.S. the scripts i show from now on i wrote over 3 months ago close to when i first started so there might be some inconsistency/bad practise etc.

page that has the form in it:

Code: Select all

<form method="post" action="handleoptions.php" name="password_change">
        <table width="100%" align="center" border="0">
		<tr>
			<td width="100%" align="center" colspan="2">
				<b>Change Password</b>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				Old Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_old" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				New Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_new" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				Confirm Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_new_confirm" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="100%" align="left" colspan="2">
				<input type="submit" value="Update Password!" name="password_change_submit">
			</td>
		</tr>
	</table></form>
you then have the PHP in another page which the form submits to handle the information and update the database aswell as validate.

keeping in mind this was also written over 3 months ago when i first started.

handle page:

Code: Select all

<?php
	session_start();
		include '../private_html/includes/configuration.php';
		dbconnect();
		checklogin();
		is_dead();
		is_banned();

if(isset($_POST['password_change_submit'])) {

	$login_session = $_SESSION['username_value'];
	$login_cookie = $_COOKIE['username'];
	$check_username = mysql_query("SELECT * FROM accounts WHERE login_session='$login_session' AND login_cookie='$login_cookie'");
	$check_username_assoc = mysql_fetch_assoc($check_username);
	$username = $check_username_assoc['username'];
	$password_old = $_POST['password_old'];
	$password_new = $_POST['password_new'];
	$password_new_confirm = $_POST['password_new_confirm'];
	
	$password_old_md5 = md5($password_old);
	$password_new_md5 = md5($password_new);
	$password_new_confirm_md5 = md5($password_new_confirm);
	
	$select_username_assoc = mysql_query("SELECT * FROM accounts WHERE username='$username'");
	$username_assoc = mysql_fetch_assoc($select_username_assoc);
	
		if($username_assoc['password'] == $password_old_md5) {
			if($password_new_md5 == $password_new_confirm_md5) {
			
			mysql_query("UPDATE accounts SET password='$password_new_md5' WHERE username='$username'");
			mysql_query("UPDATE accounts SET login_session='' WHERE login_session='$login_session'");
			mysql_query("UPDATE accounts SET login_cookie='' WHERE login_cookie='$login_cookie'");
			session_destroy();
			$cookie_username = $_COOKIE['username'];
			setcookie("username", $cookie_username, time()-3600, "/", ".xxxxx.com");
			header("location:http://www.xxxxx.com/index.php?login=4");
			
			} elseif($password_new_md5 != $password_new_confirm_md5) {
			header("location:http://www.xxxxx.com/options.php?error=2");
			die();
			}
		} elseif($username_assoc['password'] != $password_old_md5) {
		header("location:http://www.xxxxx.com/options.php?error=1");
		die();
		}
} elseif(!isset($_POST['password_change_submit'])) {
header("location:http://www.xxxxx.com/options.php");
die();
}
?>
ive got alot of useless stuff in there but it should give you an idea.


ekkk, that codes so ugly.

Posted: Sun Jan 01, 2006 6:37 pm
by spamyboy
Thank you ! :)

Posted: Sun Jan 01, 2006 11:44 pm
by s.dot
for even greater security you should email them the new password, with a hash in the link that's also stored in your DB. then when they click the link in their email check to make sure the hash matches the db hash

but the basic steps are good

old password, new password, confirm new password

(afterthought: i guess emailing them the new password is only logical when recovering a lost password.. i was just too lazy to erase it, which is kind of ironic considering how I had the energy to type this big long run-on sentence.)

Posted: Mon Jan 02, 2006 12:20 am
by josh
scrotaye wrote:i was just too lazy to erase it, which is kind of ironic considering how I had the energy to type this big long run-on sentence.)
:D :D :D :D



anyways its probably better to instead of emailing them the new password when it is reset, but instead allow them to click a link in their email to take them to the change password form, but don't prompt them for the old password