I-AM-OBODO

@aykay, I'd like to deal with this md5 that I can login with and when I get the reset working then I'd try to implement the crypt. thanks all same. ps: I can login with the login page, what I can't do is login with the reset password. thanks all.

Hi all. @DavidAM, you asked if my login page is same hashing as my reset password page? Yes they are the same. PS: I tried using crypt for password hashing and did not work for me. It doesnt login Below is both codes: Login page <?php if(isset($_POST['login'])){ $tbl_name="reg_users"; // Define $myusername and $mypassword $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); if($username == ''){ $err1 = "<font color='red' size='-2'><b>Pls Enter Username</b></font>"; } if($password == ''){ $err2 = "<font color='red' size='-2'><b>Pls Enter Password</b></font>"; }else{ $crypt_pass = md5($password); //check for existance of username and password $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$crypt_pass'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register username and password and redirect to login page" $_SESSION['username'] = $username; $_SESSION['password'] = $password; header("location: ../onlineservices/uhm.php"); exit(); } else { //if no match found, echo out error message echo "<font color='red' size='2'><b>Invalid Username or Password</b></font><br>"; } } } ob_end_flush(); ?> Reset password Code <?php if(isset($_POST['submit'])){ $email = stripslashes($_POST['email']); if($email == ''){ echo "<font color='#990000'><b><center>Email field empty</center></b></font>"; } elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){ echo "<font color='#990000'><b><center>Invalid email address</center></b></font>"; }else{ $q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query($q); if(mysql_num_rows($r)== 1){ // Generate a random password $password = ""; $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, 6); foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } echo "<br><br>"; $crypt_pass = md5($password); echo $crypt_pass; //update the user password $q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query ($q) or die('Cannot complete update'); //send mail $to = "[email protected]"; //$_POST['email']; $from = "[email protected]"; $subject = "New password"; $msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n Please log in at this URL: http://localhost/login.html \n Then go to this address to change your password: http://localhost/changepass.php"; $success = mail("$to","$subject","$msg","From: $from\r\nReply-To:[email protected]"); if($success){ echo "Password have been sent to you email address"; } }else{ echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>"; } } } ?>

Thanks all. Regarding password encryption and security, will it be good if one do something like: $pass = crypt(sha1(md5($password))); will it be a good practice? thanks

Hi all, Below is a code to reset forgoten password, but i do not know why i cannot login with the resetted password? ps: echo $password is to get the echoed password so that i can login with it. Thanks <?php if(isset($_POST['submit'])){ $email = addslashes(htmlentities($_POST['email'])); if($email == ''){ echo "<font color='#990000'><b><center>Email field empty</center></b></font>"; } elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){ echo "<font color='#990000'><b><center>Invalid email address</center></b></font>"; }else{ $q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query($q); if(mysql_num_rows($r)== 1){ // Generate a random password $password = ""; $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, 6); foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } echo "<br><br>"; $crypt_pass = md5($password); //update the user password $q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query ($q) or die('Cannot complete update'); //send mail $to = "[email protected]"; //$_POST['email']; $from = "[email protected]"; $subject = "New password"; $msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n Please log in at this URL: http://localhost/login.html \n Then go to this address to change your password: http://localhost/changepass.php"; $success = mail("$to","$subject","$msg","From: $from\r\nReply-To:[email protected]"); if($success){ echo "Password have been sent to you email address"; } }else{ echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>"; } } } ?>

I don't understand what you mean by literal string of password? is not the value of the randomly generated password parsed to the $password variable? if not, why does the variable $password echo out the values? and how would the value be assigned to a variable? thanks

This is the complete code and query. Thanks <?php if(isset($_POST['submit'])){ $email = addslashes(htmlentities($_POST['email'])); if($email == ''){ echo "<font color='#990000'><b><center>Email field empty</center></b></font>"; } elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){ echo "<font color='#990000'><b><center>Invalid email address</center></b></font>"; }else{ $q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query($q); if(mysql_num_rows($r)== 1){ // Generate a random password $password = ""; $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, ; foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } //update the user password $q = "UPDATE tablename SET password = '".md5('$password')."' WHERE email = '$email' AND Sec_no = '$_SESSION[sec_no]'"; $r = mysql_query ($q) or die('Cannot complete update'); //send mail $to = $_POST['email']; $from = "[email protected]"; $subject = "New password"; $msg = "You recently requested that we send you a new password for ubs-bank.com. Your new password is: $password.\n Please log in at this URL: http://localhost/login.html \n Then go to this address to change your password: http://localhost/changepass.php"; $success = mail("$to","$subject","$msg","From: $from\r\nReply-To:[email protected]"); if($success){ echo "Password have been sent to you email address"; } }else{ echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>"; } } } ?>

hi all. I noticed that on the database, the password dont change even after multiple tries? I echoed out the password on the browser, it changes but on the database it doesn't. what could be the cause? ps: I have modified the code to adapt to both your suggestions. <?php $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, ; foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; ?> thanks

thanks Cyberrobot & Jessica. @jessica, yes that's why I omitted 1 & 0 and thanks again.

oops! I forgot to declare what value $password holds. Incase anyone might this of value, the solution to this is to declare $password at the beginning of the password array. thus $password ="";

oops! I forgot the code earlier <?php $alphanum = array('a','b','c','d','e','f','g','h','i','j','k','m','n','o', 'p','q','r','s','t','u','v','x','y','z','A','B','C','D','E', 'F','G','H','I','J','K','M','N','P','Q','R','S','T','U', 'V','W','X','Y','Z','2','3','4','5','6','7','8','9'); $chars = sizeof($alphanum); $a = time(); mt_srand($a); for ($i=0; $i < 6; $i++) { $randnum = intval(mt_rand(0,56)); $password .= $alphanum[$randnum]; echo $password; } ?>

Hi all. pls what could be wrong with this code? its saying undefined variable "password". ps, if there's a better way, pls I won't mind knowing it. thanks

well said. thanks.

What's the difference btw my method ( if($uname == ""){ echo " user empty "; } and $hasError = false; if($uname == ""){ $hasError = true; }) is there any security threat or anything that mars the code or mine is a bad practice? just curious to know so as to refrain from the practice. thanks

sorry but sorry but I don't get you. could u pls paint a picture for me? thanks

hi. I know next to nothing about Javascript but I want something done and I believe its Javascript that can do it for me. I want to integrate/add an uploading metre to my PHP code, so that when a user is transferring or uploading a file, it shows/pop out the metre to indicate the percentage done. thanks

Thanks all.

Thanks all. Maybe i am not making myself clear enough. I know both the security number and username will validate at the same time and that is exactly how i want it to run. The problem however is: echo "<font color='red'><b>user is invalid</b></font> I actually want it to validate if all other conditions are false but it validates even when the security number is empty which is not what i want. thanks

Thanks all. That settles it! And that said, I'll deep my head down and improve my skills before delving into framesworks. But whats stopping me from understanding classes? It beats me each time i try learning it and then i get stuck somewhere and i let it slide!!! Any easy tut, pointers Thanks all. Do have a blast weekend!

Hi all. My code runs fine but one problem: i want the "user is invalid" to validate last. i don't know why when i lleave the security code empty and click submit, it brings out two validation error (1) security number missing (2) invalid user, but the idea is for the invalid user to be validated last. what could be the problem. (hope i am getting my question right. secondly, i believe my coding needs prunning (not the right way) i wouldnt mind a correction on how to do it rightly. thanks code below <?php if(isset($_POST['submit'])){ //post variables $sec_no = mysql_real_escape_string(stripslashes($_POST['sec_no'])); $uname = mysql_real_escape_string(stripslashes($_POST['uname'])); //validate entry if($sec_no == ''){ //$er1 = "<font color=red><b>Security Number Missing</b></font><br>"; echo "<font color=red><b>Security Number Missing</b></font><br>"; } if($uname == ''){ //$er2 = "<font color='red'><b>Username Missing</b></font>"; echo "<font color='red'><b>Username Missing</b></font>"; }else{ // check for valid user $q = "SELECT * FROM reg_users WHERE username = '$uname' AND Security_no = '$sec_no'"; $r = mysql_query($q); if(mysql_num_rows($r)==1){ $row = mysql_fetch_array($r); if($row){ $p = substr ( md5(uniqid(rand(),1)), 3, 10); $q = "UPDATE reg_users SET password = '".md5('$p')."' WHERE username = '$uname' AND Security_no = '$sec_no'"; $r = mysql_query($q); if($r){ echo "<font color='blue'><b>password changed</b></font>"; }else{ echo "<font color='red'><b>password not changed this time</b></font>"; } } } else{ echo "<font color='red'><b>user is invalid</b></font>"; } } } ?>

so far nobody has mentioned codeigniter? does that mean its not too good a framework or what are the advantages symphony2 or Yii has over it. I really need something not too hard to learn cos i'm not a guru with php itself. i know a handful of stuff in php & mysql eg am trying with forms/logins, can manipulate datas (mostly all i could do with php/mysql is user, admin, register etc stuffs like that). i've not really mastered classes and i dont know why. i need serious pionter on how to go about it. Thanks all

Hi all, i'm thinking of delving into php framework but want to know which is easiest to understand but good and robust. thanks

Thank you all. Finally I got it working. I tried both the 'BETWEEN' and '>= <='. The problem was that I omitted the apostrophe sign on the end date. '$end'. Thanks once again.

@all thanks but still not working. I tried the BETWEEN statements and did a "where date <= $s and >= $end. all to no avail.

Hi all, i am try to get the result of all transaction made by a user between a given period of date i.e from 2013-01-10 to 2013-01-30 but don't know how to get it done. I only get the result of just a date even when there are other dates and transaction by the user. thanks all this is what i did: <?php if(isset($_POST['search'])){ $s = $_POST['start']; $end = $_POST['end']; if($s == ''){ echo "invalid Entry"; } else{ $s = date('Y-m-d', strtotime(str_replace('-','/', $s))); $end = date('Y-m-d', strtotime(str_replace('-','/', $end))); $r = mysql_query("SELECT * FROM transaction WHERE username = '$_SESSION[username]' AND date LIKE '$s' AND $end ORDER BY date DESC") or die(mysql_error()); $num_rows = mysql_num_rows($r); print "There are $num_rows records.<P>"; echo "<center><table border='1' bordercolor='#000000' cellpadding='1' cellspacing='1'> <tr> <th>Trans ID</th> <th>Trans Ref</th> <th>Sender Acct</th> <th>Receiver Acct</th> <th>Trans Status</th> <th>Date</th> </tr>"; while ($get_info = mysql_fetch_row($r)){ print "<tr>\n"; foreach ($get_info as $field) print "\t<td><font face=arial size=2/>$field</font></td>\n"; print "</tr>\n"; } print "</table>\n"; print "<br>"; mysql_close($link); } } ?>

Thanks @dpiearcy. I found that I was actually checking for new password instead of the old one. It ought to select from where old instead of select from where new. Oversight! thanks