emailing a forgotten password

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
RobRem
Forum Newbie
Posts: 4
Joined: Tue Jul 25, 2006 11:54 am

emailing a forgotten password

Post by RobRem »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I have a simple script which I would like to use to e-mail someone who forgets their password. The script is logically fine, except for one minor detail: when I email the password, it is the hash stored in the mySQL database, not the password itself.
  Here is the code

Code: Select all

// Create the SQL statement 
$sqlSearchStmt = "SELECT userName, password, email FROM user_table WHERE firstname = '$_POST[firstname]' AND lastname = '$_POST[lastname]'";

$result = mysql_query($sqlSearchStmt,$conn) or die (mysql_error());

if (mysql_num_rows($result) == 1 )  { // there's a match, send an email to the user 
  $userEmail =  mysql_result( $result, 0, 'email'); // OK
  $userName = mysql_result( $result, 0, 'userName'); // OK
  $password = mysql_result( $result, 0, 'password' ); // PROBLEM: this comes to the hash of the password, not the password itself. 
  $subject = "Password for the Forum";
  $msg = "Your username is $userName and your password is $password.";

  mail( $userEmail, $subject, $msg);
My question is, when I insert the password into the database, I use the following syntax in the SQL INSERT statement:
INSERT into users_table values ( ... password('userPassword'), .... );
Is there a similar function you need to use to "decode" the password when getting it OUT of the database???? if there isn't a function to use, how do you do it????

Thank you,
Rob



feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

you can't reverse a hash... it's one-way. You can reset the password and send them the reset password. That's what I do. :D
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Generate a new password for them and store it in a column like `new_password`. Once they sign in with this password wipe that field and move that password to the regular password column.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Ya - you REALLY don't want to send account passwords via email. Email protocols are horribly un-secure. Do what ~Jcart said.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I agree with the other posters here. The security implications in using/sending unhashed passwords are enormous. Very few sites actually do this. They will more often send you a new password which you can change when logging in again or even display the password to you on the screen for you to use immediately (though fewer and fewer sites are doing things this way).
Post Reply