Jump to content


Photo

Reset Password can't login


Best Answer Christian F., 26 February 2013 - 03:36 AM

I would also recommend reading the post I linked to in my first reply, as it contains a lot more information. As well as links to ready-made frameworks/classes, which makes adding a secure login to your site very easy.

Still, for learning purposes creating your own login system is very useful. Just don't ever put it into production! Go to the full post


  • Please log in to reply
14 replies to this topic

#1 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 23 February 2013 - 05:32 AM

Hi all,

Below is a code to reset forgoten password, but i do not know why i cannot login with the resetted password?

ps: echo $password is to get the echoed password so that i can login with it.

Thanks


<?php

if(isset($_POST['submit'])){
	
	
	
	$email = addslashes(htmlentities($_POST['email']));
	
	if($email == ''){
		echo "<font color='#990000'><b><center>Email field empty</center></b></font>";
	}
	elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
		echo "<font color='#990000'><b><center>Invalid email address</center></b></font>";
	}else{
		$q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query($q);
		if(mysql_num_rows($r)== 1){

		// Generate a random password
		$password = "";
		$alpha = array_merge(range('a','z'), range('A','Z'), range(2,9));
		$rand_key = array_rand($alpha, 6);
		foreach ($rand_key as $curKey){
		$password .= $alpha[$curKey];
		echo $password;
}
		echo "<br><br>";
		$crypt_pass = md5($password);
				
		//update the user password
		$q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query ($q) or die('Cannot complete update');
		
		//send mail
		$to = "jamboree@yahoo.com"; //$_POST['email'];
		$from = "forgot@example.com";
		$subject = "New password";
		$msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n
				Please log in at this URL: http://localhost/login.html \n
				Then go to this address to change your password: http://localhost/changepass.php";
				
		$success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com");
		
		if($success){
			echo "Password have been sent to you email address";
		}
		
		}else{
			echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>";
		}
	}

}

?>

"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#2 DavidAM

DavidAM

    Advanced Member

  • Gurus
  • 1,974 posts
  • LocationSpring, TX USA

Posted 23 February 2013 - 10:03 AM

$crypt_pass = md5($password);

Is this exactly the same thing you do to the password provided by the user on the login page? I mean exactly. You should create a common function named something like hashPassword() and use that function in your registration page, login page, and reset page; so you know you are doing the same in all three places. Then if you ever decide to use a different algorithm, you only have to change it in one place --- by the way, using MD5 with no salt is NOT a good idea, MD5 (alone) is too easy to hack (google "rainbow tables").

$email = addslashes(htmlentities($_POST['email']));

This is not the way to retrieve user input from POST fields. Each of those functions, addslashes and htmlentities have specific purposes not related to retrieving user data. The only thing you should do to POST (or GET) fields is stripslashes and that only if magic_quotes is on (which it should not be).

By the way,

$rand_key = array_rand($alpha, 6);
foreach ($rand_key as $curKey){
  $password .= $alpha[$curKey];
  echo $password;
}

could be done without the foreach.

$rand_key = array_rand($alpha, 6);
$password = implode('', $rand_key);
echo $password;
(That's an empty string in the implode call.)
-- I haven't lost my mind, it's backed up on tape ... somewhere!

#3 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 23 February 2013 - 12:25 PM

Adding to what DavidAM has already mentioned regarding passwords, using hashing algorithms such as MD5, SHA1 and SHA256 is discouraged as these algorithms are trivial to crack.
A hashing function such as crypt implementing an algorithm such as CRYPT_BLOWFISH coupled with a correctly formatted salt provides the most "computationally expensive" algorithm.
Ergo making it extremely difficult and near impossible for an attacker to crack.
Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#4 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 24 February 2013 - 01:21 PM

Thanks all.
Regarding password encryption and security, will it be good if one do something like:

$pass = crypt(sha1(md5($password)));

will it be a good practice?

thanks
"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#5 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 24 February 2013 - 03:54 PM

No, it will not. Both MD5 and SHA1 reduces the entropy, making the crypt () severely limited in what output it can give. A chain is no stronger than its weakest link, after all.
Besides, you're still not using an individual salt.

I strongly recommend that you read this thread, and the articles/videos linked to in it:
http://forums.phpfre...g-and-security/
Keeping it simple.

#6 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 24 February 2013 - 11:46 PM

Hi all.
@DavidAM, you asked if my login page is same hashing as my reset password page? Yes they are the same.

PS: I tried using crypt for password hashing and did not work for me. It doesnt login

Below is both codes:

Login page
<?php
if(isset($_POST['login'])){

$tbl_name="reg_users";

// Define $myusername and $mypassword 
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

if($username == ''){
	$err1 = "<font color='red' size='-2'><b>Pls Enter Username</b></font>";
}
if($password == ''){
	$err2 = "<font color='red' size='-2'><b>Pls Enter Password</b></font>";
}else{

$crypt_pass = md5($password);

//check for existance of username and password
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$crypt_pass'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
	
// Register username and password and redirect to login page"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

header("location: ../onlineservices/uhm.php");
exit();
}
else {
//if no match found, echo out error message
echo "<font color='red' size='2'><b>Invalid Username or Password</b></font><br>";
}	}
 }
ob_end_flush();
?>


Reset password Code

<?php

if(isset($_POST['submit'])){
	
	$email = stripslashes($_POST['email']);
	
	if($email == ''){
		echo "<font color='#990000'><b><center>Email field empty</center></b></font>";
	}
	elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){
		echo "<font color='#990000'><b><center>Invalid email address</center></b></font>";
	}else{
		$q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query($q);
		if(mysql_num_rows($r)== 1){

		// Generate a random password
		$password = "";
		$alpha = array_merge(range('a','z'), range('A','Z'), range(2,9));
		$rand_key = array_rand($alpha, 6);
		foreach ($rand_key as $curKey){
		$password .= $alpha[$curKey];
		echo $password;
}
		echo "<br><br>";
		$crypt_pass = md5($password);
		echo $crypt_pass;

		
		//update the user password
		$q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'";
		$r = mysql_query ($q) or die('Cannot complete update');
		
		//send mail
		$to = "jamboree@yahoo.com"; //$_POST['email'];
		$from = "forgot@example.com";
		$subject = "New password";
		$msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n
				Please log in at this URL: http://localhost/login.html \n
				Then go to this address to change your password: http://localhost/changepass.php";
				
		$success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com");
		
		if($success){
			echo "Password have been sent to you email address";
		}
		
		}else{
			echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>";
		}
	}

}

?>


"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#7 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 25 February 2013 - 10:18 AM

Show us code where you are using crypt so we can help you. There are examples in the manual of how to properly use crypt
DO NOT use MD5 hashing for passwords.

Edited by AyKay47, 25 February 2013 - 10:18 AM.

Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#8 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 25 February 2013 - 10:23 PM

@aykay, I'd like to deal with this md5 that I can login with and when I get the reset working then I'd try to implement the crypt. thanks all same.

ps: I can login with the login page, what I can't do is login with the reset password.

thanks all.
"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#9 Jessica

Jessica

    This is not my name.

  • Gurus
  • 8,982 posts
  • LocationDallas, TX
  • Age:26

Posted 25 February 2013 - 10:33 PM

Did you verify in the database that the password did get changed?
My goal in replying to posts is to help you become a better programmer, including learning how to debug your own code and research problems. For that reason, rather than posting the solution, I reply with tips and hints on how to find the solution yourself. See below for useful links when you get stuck.

How to Get Good Help: How to Ask Questions | Don't be a help vampire
Debugging Your Code: Debugging your SQL | What does a php function do? | What does a term mean? | Don't see any errors?
Things You Should Do: Normalize Your Data | use print_r() or var_dump()
Lulz: "Functions should not have side effects." - trq

Please take a look at my new PHP/Web Dev blog: The Web Mason - Thanks!!

#10 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 25 February 2013 - 10:33 PM

I recommend that you read DavidAM's post again, and implement all of the recommendations he has listed. He even touched upon what might be the reason why you cannot log in after resetting the password.
Keeping it simple.

#11 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 25 February 2013 - 11:13 PM

@aykay, but what I did with crypt was I changed the md5 to crypt. that is:
$crypt_pass = crypt($password);
"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#12 Mr-Chidi

Mr-Chidi

    Advanced Member

  • Members
  • PipPipPip
  • 171 posts
  • LocationNigeria

Posted 26 February 2013 - 03:04 AM

@jessica yes I verified and its changing.
@christian, I've read Davids post over & over. my login function is same with the reset. I even had to register new users just to verify and they all can login but after reset, the generated password won't login. above is my login and reset script.

thanks
"Every problem is intrinsically and inherently pregnant with some positive possibilities".

#13 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 26 February 2013 - 03:19 AM

You are still manipulating the data upon retrieval, contrary to what he stated in his post.
// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

What do you think happens when you hash a password that has been modified, vs one that has not?
Keeping it simple.

#14 Joshua F

Joshua F

    Advanced Member

  • Members
  • PipPipPip
  • 205 posts

Posted 26 February 2013 - 03:21 AM

@aykay, but what I did with crypt was I changed the md5 to crypt. that is:
$crypt_pass = crypt($password);

 

You should read crypt for how it should be used. It's a little harder than doing what you posted but it is well worth it.



#15 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 26 February 2013 - 03:36 AM   Best Answer

I would also recommend reading the post I linked to in my first reply, as it contains a lot more information. As well as links to ready-made frameworks/classes, which makes adding a secure login to your site very easy.

Still, for learning purposes creating your own login system is very useful. Just don't ever put it into production!
Keeping it simple.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com