14 replies to this topic

[Mr-Chidi]

Hi all,

Below is a code to reset forgoten password, but i do not know why i cannot login with the resetted password?

ps: echo $password is to get the echoed password so that i can login with it.

Thanks

<?php

if(isset($_POST['submit'])){
	
	
	
	$email = addslashes(htmlentities($_POST['email']));
	
	if($email == ''){
		echo "<font color='#990000'><b><center>Email field empty</center></b></font>";
	}
	elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
		echo "<font color='#990000'><b><center>Invalid email address</center></b></font>";
	}else{
		$q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query($q);
		if(mysql_num_rows($r)== 1){

		// Generate a random password
		$password = "";
		$alpha = array_merge(range('a','z'), range('A','Z'), range(2,9));
		$rand_key = array_rand($alpha, 6);
		foreach ($rand_key as $curKey){
		$password .= $alpha[$curKey];
		echo $password;
}
		echo "<br><br>";
		$crypt_pass = md5($password);
				
		//update the user password
		$q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query ($q) or die('Cannot complete update');
		
		//send mail
		$to = "jamboree@yahoo.com"; //$_POST['email'];
		$from = "forgot@example.com";
		$subject = "New password";
		$msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n
				Please log in at this URL: http://localhost/login.html \n
				Then go to this address to change your password: http://localhost/changepass.php";
				
		$success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com");
		
		if($success){
			echo "Password have been sent to you email address";
		}
		
		}else{
			echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>";
		}
	}

}

?>

[DavidAM]

$crypt_pass = md5($password);

Is this exactly the same thing you do to the password provided by the user on the login page? I mean exactly. You should create a common function named something like hashPassword() and use that function in your registration page, login page, and reset page; so you know you are doing the same in all three places. Then if you ever decide to use a different algorithm, you only have to change it in one place --- by the way, using MD5 with no salt is NOT a good idea, MD5 (alone) is too easy to hack (google "rainbow tables").

$email = addslashes(htmlentities($_POST['email']));

This is not the way to retrieve user input from POST fields. Each of those functions, addslashes() and htmlentities() have specific purposes not related to retrieving user data. The only thing you should do to POST (or GET) fields is stripslashes() and that only if magic_quotes is on (which it should not be).

By the way,

$rand_key = array_rand($alpha, 6);
foreach ($rand_key as $curKey){
  $password .= $alpha[$curKey];
  echo $password;
}

could be done without the foreach.

$rand_key = array_rand($alpha, 6);
$password = implode('', $rand_key);
echo $password;

(That's an empty string in the implode() call.)

[AyKay47]

Adding to what DavidAM has already mentioned regarding passwords, using hashing algorithms such as MD5, SHA1 and SHA256 is discouraged as these algorithms are trivial to crack.
A hashing function such as crypt() implementing an algorithm such as CRYPT_BLOWFISH coupled with a correctly formatted salt provides the most "computationally expensive" algorithm.
Ergo making it extremely difficult and near impossible for an attacker to crack.

[Mr-Chidi]

Thanks all.
Regarding password encryption and security, will it be good if one do something like:

$pass = crypt(sha1(md5($password)));

will it be a good practice?

thanks

[Christian F.]

No, it will not. Both MD5 and SHA1 reduces the entropy, making the crypt () severely limited in what output it can give. A chain is no stronger than its weakest link, after all.
Besides, you're still not using an individual salt.

I strongly recommend that you read this thread, and the articles/videos linked to in it:
http://forums.phpfre...g-and-security/

[Mr-Chidi]

Hi all.
@DavidAM, you asked if my login page is same hashing as my reset password page? Yes they are the same.

PS: I tried using crypt for password hashing and did not work for me. It doesnt login

Below is both codes:

Login page

<?php
if(isset($_POST['login'])){

$tbl_name="reg_users";

// Define $myusername and $mypassword 
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

if($username == ''){
	$err1 = "<font color='red' size='-2'><b>Pls Enter Username</b></font>";
}
if($password == ''){
	$err2 = "<font color='red' size='-2'><b>Pls Enter Password</b></font>";
}else{

$crypt_pass = md5($password);

//check for existance of username and password
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$crypt_pass'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
	
// Register username and password and redirect to login page"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

header("location: ../onlineservices/uhm.php");
exit();
}
else {
//if no match found, echo out error message
echo "<font color='red' size='2'><b>Invalid Username or Password</b></font><br>";
}	}
 }
ob_end_flush();
?>

Reset password Code

<?php

if(isset($_POST['submit'])){
	
	$email = stripslashes($_POST['email']);
	
	if($email == ''){
		echo "<font color='#990000'><b><center>Email field empty</center></b></font>";
	}
	elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
		echo "<font color='#990000'><b><center>Invalid email address</center></b></font>";
	}else{
		$q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query($q);
		if(mysql_num_rows($r)== 1){

		// Generate a random password
		$password = "";
		$alpha = array_merge(range('a','z'), range('A','Z'), range(2,9));
		$rand_key = array_rand($alpha, 6);
		foreach ($rand_key as $curKey){
		$password .= $alpha[$curKey];
		echo $password;
}
		echo "<br><br>";
		$crypt_pass = md5($password);
		echo $crypt_pass;

		
		//update the user password
		$q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query ($q) or die('Cannot complete update');
		
		//send mail
		$to = "jamboree@yahoo.com"; //$_POST['email'];
		$from = "forgot@example.com";
		$subject = "New password";
		$msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n
				Please log in at this URL: http://localhost/login.html \n
				Then go to this address to change your password: http://localhost/changepass.php";
				
		$success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com");
		
		if($success){
			echo "Password have been sent to you email address";
		}
		
		}else{
			echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>";
		}
	}

}

?>

[AyKay47]

Show us code where you are using crypt so we can help you. There are examples in the manual of how to properly use crypt
DO NOT use MD5 hashing for passwords.

Edited by AyKay47, 25 February 2013 - 10:18 AM.

[Mr-Chidi]

@aykay, I'd like to deal with this md5 that I can login with and when I get the reset working then I'd try to implement the crypt. thanks all same.

ps: I can login with the login page, what I can't do is login with the reset password.

thanks all.

[Jessica]

Did you verify in the database that the password did get changed?

[Christian F.]

I recommend that you read DavidAM's post again, and implement all of the recommendations he has listed. He even touched upon what might be the reason why you cannot log in after resetting the password.

[Mr-Chidi]

@aykay, but what I did with crypt was I changed the md5 to crypt. that is:
$crypt_pass = crypt($password);

[Mr-Chidi]

@jessica yes I verified and its changing.
@christian, I've read Davids post over & over. my login function is same with the reset. I even had to register new users just to verify and they all can login but after reset, the generated password won't login. above is my login and reset script.

thanks

[Christian F.]

You are still manipulating the data upon retrieval, contrary to what he stated in his post.

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

What do you think happens when you hash a password that has been modified, vs one that has not?

[Joshua F]

@aykay, but what I did with crypt was I changed the md5 to crypt. that is:
$crypt_pass = crypt($password);

 

You should read crypt() for how it should be used. It's a little harder than doing what you posted but it is well worth it.

[Christian F.]

I would also recommend reading the post I linked to in my first reply, as it contains a lot more information. As well as links to ready-made frameworks/classes, which makes adding a secure login to your site very easy.

Still, for learning purposes creating your own login system is very useful. Just don't ever put it into production!