Page 1 of 1

emailing a forgotten password

Posted: Tue Jul 25, 2006 5:09 pm
by RobRem
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I have a simple script which I would like to use to e-mail someone who forgets their password. The script is logically fine, except for one minor detail: when I email the password, it is the hash stored in the mySQL database, not the password itself.
  Here is the code

Code: Select all

// Create the SQL statement 
$sqlSearchStmt = "SELECT userName, password, email FROM user_table WHERE firstname = '$_POST[firstname]' AND lastname = '$_POST[lastname]'";

$result = mysql_query($sqlSearchStmt,$conn) or die (mysql_error());

if (mysql_num_rows($result) == 1 )  { // there's a match, send an email to the user 
  $userEmail =  mysql_result( $result, 0, 'email'); // OK
  $userName = mysql_result( $result, 0, 'userName'); // OK
  $password = mysql_result( $result, 0, 'password' ); // PROBLEM: this comes to the hash of the password, not the password itself. 
  $subject = "Password for the Forum";
  $msg = "Your username is $userName and your password is $password.";

  mail( $userEmail, $subject, $msg);
My question is, when I insert the password into the database, I use the following syntax in the SQL INSERT statement:
INSERT into users_table values ( ... password('userPassword'), .... );
Is there a similar function you need to use to "decode" the password when getting it OUT of the database???? if there isn't a function to use, how do you do it????

Thank you,
Rob



feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Jul 25, 2006 5:13 pm
by Luke
you can't reverse a hash... it's one-way. You can reset the password and send them the reset password. That's what I do. :D

Posted: Tue Jul 25, 2006 5:14 pm
by John Cartwright
Generate a new password for them and store it in a column like `new_password`. Once they sign in with this password wipe that field and move that password to the regular password column.

Posted: Tue Jul 25, 2006 5:38 pm
by pickle
Ya - you REALLY don't want to send account passwords via email. Email protocols are horribly un-secure. Do what ~Jcart said.

Posted: Tue Jul 25, 2006 5:44 pm
by RobertGonzalez
I agree with the other posters here. The security implications in using/sending unhashed passwords are enormous. Very few sites actually do this. They will more often send you a new password which you can change when logging in again or even display the password to you on the screen for you to use immediately (though fewer and fewer sites are doing things this way).