Jump to content


Photo

getting passwords from the database


  • Please log in to reply
19 replies to this topic

#1 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:16 PM

how do i get a password from the database and change it back from md5 because im trying to send the user there password in email so if they loose it. please help im almost done with my site

#2 dptr1988

dptr1988
  • Members
  • PipPipPip
  • Advanced Member
  • 372 posts

Posted 14 July 2006 - 10:20 PM

You can't get a password from the md5 hash of it. Well.... at least not in your lifetime ;).

Try generating a new password and saving it in the database then send that new password to the user.


Need more help with your project? One of the thousands of programmers, web designers or artists at <a href="http://www.rentacode...d_6764522">Rent A Coder</a> would be happy to help.

Disclaimer: Free advice is usually worth what you paid for it. ( or at least when it's coming from me! )

#3 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 10:23 PM

When you send it to the database, you should incrypt it with SHA() and then when you pull it back out, see if the sha() version of the inputted password matches the password in the database.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#4 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:24 PM

i guess i could do somin like send them an email with a link like

site.com/change.php?id=**&email=*****@***.com&key=randomnumber_set_on_database

i could do this right?

#5 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 14 July 2006 - 10:25 PM

I think if you perhaps register a new user, and then take switch the MD5 hash for the new user with the user who lost his/her password, and then send them the password you used for the new user, you should be good.

Worked fine for me. ^^

#6 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:28 PM

yea i could do that but the one person could get ahold of the pass i change it to and just over take all the users just by looking at there profile and email and doing the lost pass page

#7 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 14 July 2006 - 10:30 PM

Hmm.  :-\

Not sure I follow. But if it won't work, don't do it.

Good luck.

#8 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 10:32 PM

To BillyBob, you shouldn't send information through the $_GET url--it's not secure. You don't want the user to be able to just view all the stuff, especially if you are submitting things in hidden fields you DONT want the user to change.

Here's an example:
<?php
if (isset($_POST['submitted'])) {
    if (!empty($_POST['username'])) {
        $username = $_POST['username'];
    }
    else {
        echo 'You did not enter a username.';
        die();
    }
    if (!empty($_POST['password'])) {
        $password = $_POST['password'];
    }
    else {
        die ('You did not type a password!');
    }
    $query = "SELECT * FROM users WHERE username='$username' AND password=SHA('$password')";
    $result = mysql_query($query);
    if (mysql_num_rows($result) == 1) {
        // Set cookies or sessions here
        echo 'You have been logged in!';
    }
    else {
        echo 'Your username and password did not match any in record.';
    }
}
else {
    echo '<form action="file.php" method="post">
    <b>Username:</b> <input type="text" name="username">
    <b>Password:</b> <input type="password" name="password">
    <input type="hidden" name="submitted" value="TRUE">
    <input type="submit" name="submit" value="Log In">
    </form>';
}
?>

Then, when you register the user, insert SHA('$password') into the database. That way, if someone gains access to the database they can't just log in to people's accounts.

You would, of course, want to do something to validate $username and $password to protect from mysql_injection. I have an escape_data function I created for that, you can let me know if you want me to post it.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#9 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:33 PM

if i made the script make a new pass the new pass for the lost pass would always be the same that way anyone with any smarts could just do the lost pass word for all members with there email from there profile then it would have changed the pass on the database and they could enter it in. see what im saying

#10 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 10:37 PM

^ No, you shouldn't do that. As you said, someone would figure it out.

You should create a random string of letters and numbers (you can use md5(), uniqueid(), and rand() for that) and insert the random password into the database. Then send them an email with the randomly generated password. Then, when they log into their account they can change it to whatever they want.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#11 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:40 PM

u dont get what im trying to acomplish im making a page to recover there password and i dont have info that i can use from the user to make sure thats the user but i could send the user an email then put a random number in to the database then send them a link like

http://site.com/chan..._the_random_num

both the id and the random number are somthing that they cant get just by looking at the profile

#12 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 10:41 PM

then make a page called changepass.php which will allow them to change it

#13 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 10:45 PM

if you encrypted the password with SHA() or MD5() YOU CANNOT DECRYPT IT. That's kind of "the point."

I'm sure there's a function called encode() and decode() that allows it to be decoded, but if it can be decoded that defeats the purpose.

Like I said before, if they forget their password have a place for them to put in their email address and it'll send the username and newly random password to the email. Then they can change it by logging in.

When you told someone to make a page to change the password, were you talking to me?

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#14 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 14 July 2006 - 11:11 PM

Think he meant that's what he is trying to accomplish.

#15 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 11:17 PM

dude ur like reading all my post backwards arnt u

im goin to make a changepass.php then give them a link
to it in the email that has their id email and confirm number in the url
then randomly make a number which will be the confirm on the lostpass page and store it

i was wonderin if it would work good

#16 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 11:21 PM

<?php
if (isset($_POST['submitted'])) {
    $errors = array();
    if (empty($_POST['email'])) {
        $errors[] = 'You did not enter an email address.';
    }
    else {
        $email = $_POST['email'];
    }
    if (empty($errors)) { //
        // First, make sure the email address exists
        $query = "SELECT user_id FROM users WHERE email='$email'";
        $result = mysql_query($query);
        if (mysql_num_rows($result) == 1) { // Found it
            $row = mysql_fetch_array($result, MYSQL_NUM);
            $id = $row[0];
            // Now, create a new, random password
            $new_pass = subtr(md5(uniqid(rand(),1)), 3, 10);
            $query = "UPDATE users SET password='$new_pass' WHERE user_id='$id'";
            $result = mysql_query($query);
            if ($result) {
                // Send an email
                $body = "Your password for website has been changed to $new_pass. Log in to change it.";
                mail($email, 'Your Password has been changed', $body, 'From: Admin');
                echo 'You have been emailed a temporary password.';
           }
           else {
               echo mysql_error();
           }
        }
        else {
            echo 'Your email did not correspond with any emails on record.';
        }
    }
    else {
        foreach ($errors as $msg) {
            echo '<li> '.$msg.'</li>';
        }
    }
}
else {
    echo '<form action="thisfile.php" method="post">
    <b>Email</b> <input type="text" name="email">
    <input type="hidden" name="submitted" value="TRUE">
    <input type="submit" name="submit" value="Submit"></form>';
}
?>

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#17 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 11:21 PM

how do i make a random string with letters and numbers

#18 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 11:22 PM

I just posted that above.

EDIT: And you would want to make sure you do something about $email so it doesn't just get chucked into the database. Some sort of escape function.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#19 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 14 July 2006 - 11:45 PM

ok heres the code
<?php
$confirmnum = subtr(md5(uniqid(rand(),1)), 3, 10);
?>
heres the error

Fatal error: Call to undefined function: subtr() in /home/dreamsh/public_html/lostpass.php on line 141


#20 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 14 July 2006 - 11:52 PM

it's supposed to be substr, i made a typo.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users