Page 1 of 1

MD5 password change

Posted: Tue Mar 21, 2006 4:04 am
by NAT
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


HI,

I am trying to make a password_forgot script with md5. The registrate script is made with md5 function, all passwords are stored in DB md5 encrypted. I made a script for users who forget there password, they can send a email and ask for there password. The script have to generate a new password and   storen the password in DB md5 enscrypted, end then send a email to a user a normal password.

My registration script work like this:

$temppass = $password;
$password = md5($password);

And this is myn forgot_password.php script:

Code: Select all

<?php

@mysql_connect(localhost,"xxxxx","xxxxxx");
@mysql_select_db("xxxxx_DB") or die( "<CENTER> The DB could not be found.");

if ($HTTP_POST_VARS['command'] == 'forgot' &&
strlen($_POST['email'] <= 50)) {

$email = addslashes($_POST['email']);
$query = "select * FROM users WHERE email = '$email'";
$result = mysql_query($query);
$num = mysql_numrows($result);
if ($num > 0) {


$alphanum =
array('a','b','c','d','e','f','g','h','i','j','k','m','n','o',
'p','q','r','s','t','u','v','x','y','z','A','B','C','D','E',
'F','G','H','I','J','K','M','N','P','Q','R','S','T','U',
'V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9');

srand((double)microtime()*1000000);
$chars = sizeof($alphanum);
$a = time();
mt_srand($a);
for ($i=0; $i < 6; $i++) {
$randnum = intval(mt_rand(0,56));
$password .= $alphanum[$randnum];
}
$sql = "UPDATE $users SET password='".md5($password)."', .temppass($password) = 1 WHERE users = '$email' en password = '$password'";

$result = mysql_query($sql); 
$to = $_POST['email'];
$from = "xxxx@xxxx.xxx";
$subject = "New password";
$msg = <<< EOMSG
Your new password is:
$password
Please log in at this URL:
http://localhost/login.html
Then go to this address to change your password:
http://localhost/changepass.php
EOMSG;
$mailsend = mail("$to","$subject","$msg","From:
$from\r\nReply-To:xxxx@xxxx.xxx");

if ($email) {
echo "The information is been send succenfully; $email";
} else {
echo "Failes sending a email<br><br>";
}

} else {
echo "This email adress could not be found in DB.<br><br>";}
}

?>
I registerd my self, i login and logout(so the register and login script works fine). Then i tryt to ask for a new password to test forgot_passowrd.php script. I get the email with a new password, but when i try to login, i cant.

I am trying to figure it out, what is not working in forgot_password.php script . Can anyone help me with this problem?

Thanks in advance,

NAT


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Mar 21, 2006 4:08 am
by s.dot

Code: Select all

$sql = "UPDATE $users SET password='".md5($password)."',
you should probably take the $ of of users

if that doesn't work

change

$result = mysql_query($sql);

to
$result = mysql_query($sql) or die(mysql_error());

Posted: Tue Mar 21, 2006 4:11 am
by shiznatix
also, get rid of the @ infront of mysql_connect() and mysql_select_db() because maybe you are not even connecting to the database!

Posted: Tue Mar 21, 2006 4:14 am
by s.dot
also

$password .= $alphanum[$randnum];

doesn't need the dot there

$password = $alphanum[$randnum];

Posted: Tue Mar 21, 2006 4:28 am
by NAT
I took $ from the users and i also changd in to $result = mysql_query($sql) or die(mysql_error());

i get this error;

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '(7F2cRT) = 1 WHERE users = 'azeri_x@hotmail.com' en password =


Then i also changed $password = $alphanum[$randnum]; removed the DOT from there, i get this message after a test:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '(K) = 1 WHERE users = 'azeri_x@hotmail.com' en password = 'K''

i think i am 1 step fearther, somethink is wrong between the query and genrating for a password.

Posted: Tue Mar 21, 2006 4:35 am
by s.dot
show us your code after the changes you made

Posted: Tue Mar 21, 2006 4:37 am
by s.dot
I also think this is the query you're looking for

Code: Select all

$sql = "UPDATE `users` SET `password` = '" . md5($password) . "' WHERE `users` = '$email'";

Posted: Tue Mar 21, 2006 4:40 am
by NAT
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Code: Select all

<form action="?action=pass" method="Post">
<br>
Email: <input type="text" name="email"><br />
<br /><br />
<input type="hidden" name="command" value="forgot">
<input type="submit" value="Send password">
</form>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

<?php

@mysql_connect(localhost,"xxxxxxx","xxxxxxxx");
@mysql_select_db("xxxxx_DB") or die( "<CENTER> The DB could not be found.");

if ($HTTP_POST_VARS['command'] == 'forgot' &&
strlen($_POST['email'] <= 50)) {

$email = addslashes($_POST['email']);
$query = "select * FROM users WHERE email = '$email'";
$result = mysql_query($query);
$num = mysql_numrows($result);
if ($num > 0) {


$alphanum =
array('a','b','c','d','e','f','g','h','i','j','k','m','n','o',
'p','q','r','s','t','u','v','x','y','z','A','B','C','D','E',
'F','G','H','I','J','K','M','N','P','Q','R','S','T','U',
'V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9');

srand((double)microtime()*1000000);
$chars = sizeof($alphanum);
$a = time();
mt_srand($a);
for ($i=0; $i < 6; $i++) {
$randnum = intval(mt_rand(0,56));
$password = $alphanum[$randnum];
}
$sql = "UPDATE users SET password='".md5($password)."', .temppass($password) = 1 WHERE users = '$email' en password = '$password'";
$result = mysql_query($sql) or die(mysql_error()); 
$to = $_POST['email'];
$from = "xxxxxx@xxxxxxx.xx";
$subject = "New password";
$msg = <<< EOMSG
Your new password is:
$password
Please log in at this URL:
http://localhost/login.html
Then go to this address to change your password:
http://localhost/changepass.php
EOMSG;
$mailsend = mail("$to","$subject","$msg","From:
$from\r\nReply-To:xxxxxxxx@xxxx.xx");

if ($email) {
echo "The information is been send succenfully; $email";
} else {
echo "Failde sending a email.<br><br>";
}

} else {
echo "This email adress could not be found in DB.<br><br>";}
}

?>

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Mar 21, 2006 4:46 am
by NAT
scrotaye wrote:I also think this is the query you're looking for

Code: Select all

$sql = "UPDATE `users` SET `password` = '" . md5($password) . "' WHERE `users` = '$email'";
I tryd that one i get :

Unknown column 'users' in 'where clause'

So i changed in to

$sql = "UPDATE 'users' SET 'password' = '" . md5($password) . "' WHERE 'users' = '$email'";

i get this:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' SET 'password' = '5206560a306a2e085a437fd258eb57ce' WHE

Posted: Tue Mar 21, 2006 5:02 am
by jayshields
You need to read up on basic MySQL, start with the manual.

As for now, let me try to help you.

scrotaye's code was probably correct, he is presuming your field for the user email is called users, by looking at your error, he guessed wrong. Use scrotaye's suggestion, but change `users` = '$email' to `whateveryourfieldnameis` = '$email'.

Also, you are attempting to use single quotes instead of backticks. Single quotes need to surround strings in MySQL, whereas backticks can be used to surround field/table names optionally.

A single quote is

Code: Select all

'
A backtick is

Code: Select all

`
So just use scrotaye's example, but change the field name, and it might work.

Posted: Tue Mar 21, 2006 5:13 am
by NAT
you whore right, i did not c that. it works now. :)

Thanks all

Posted: Tue Mar 21, 2006 5:23 am
by Maugrim_The_Reaper
I hope not...;) Spelling...

Posted: Tue Mar 21, 2006 5:50 am
by NAT
You r right :?