Jump to content

Archived

This topic is now archived and is closed to further replies.

BillyBoB

getting passwords from the database

Recommended Posts

how do i get a password from the database and change it back from md5 because im trying to send the user there password in email so if they loose it. please help im almost done with my site

Share this post


Link to post
Share on other sites
You can't get a password from the md5 hash of it. Well.... at least not in your lifetime ;).

Try generating a new password and saving it in the database then send that new password to the user.

Share this post


Link to post
Share on other sites
When you send it to the database, you should incrypt it with SHA() and then when you pull it back out, see if the sha() version of the inputted password matches the password in the database.

Share this post


Link to post
Share on other sites
i guess i could do somin like send them an email with a link like

site.com/change.php?id=**&email=*****@***.com&key=randomnumber_set_on_database

i could do this right?

Share this post


Link to post
Share on other sites
I think if you perhaps register a new user, and then take switch the MD5 hash for the new user with the user who lost his/her password, and then send them the password you used for the new user, you should be good.

Worked fine for me. ^^

Share this post


Link to post
Share on other sites
yea i could do that but the one person could get ahold of the pass i change it to and just over take all the users just by looking at there profile and email and doing the lost pass page

Share this post


Link to post
Share on other sites
Hmm.  :-\

Not sure I follow. But if it won't work, don't do it.

Good luck.

Share this post


Link to post
Share on other sites
To BillyBob, you shouldn't send information through the $_GET url--it's not secure. You don't want the user to be able to just view all the stuff, especially if you are submitting things in hidden fields you DONT want the user to change.

Here's an example:
[code]
<?php
if (isset($_POST['submitted'])) {
   if (!empty($_POST['username'])) {
       $username = $_POST['username'];
   }
   else {
       echo 'You did not enter a username.';
       die();
   }
   if (!empty($_POST['password'])) {
       $password = $_POST['password'];
   }
   else {
       die ('You did not type a password!');
   }
   $query = "SELECT * FROM users WHERE username='$username' AND password=SHA('$password')";
   $result = mysql_query($query);
   if (mysql_num_rows($result) == 1) {
       // Set cookies or sessions here
       echo 'You have been logged in!';
   }
   else {
       echo 'Your username and password did not match any in record.';
   }
}
else {
   echo '<form action="file.php" method="post">
   <b>Username:</b> <input type="text" name="username">
   <b>Password:</b> <input type="password" name="password">
   <input type="hidden" name="submitted" value="TRUE">
   <input type="submit" name="submit" value="Log In">
   </form>';
}
?>
[/code]

Then, when you register the user, insert SHA('$password') into the database. That way, if someone gains access to the database they can't just log in to people's accounts.

You would, of course, want to do something to validate $username and $password to protect from mysql_injection. I have an escape_data function I created for that, you can let me know if you want me to post it.

Share this post


Link to post
Share on other sites
if i made the script make a new pass the new pass for the lost pass would always be the same that way anyone with any smarts could just do the lost pass word for all members with there email from there profile then it would have changed the pass on the database and they could enter it in. see what im saying

Share this post


Link to post
Share on other sites
^ No, you shouldn't do that. As you said, someone would figure it out.

You should create a random string of letters and numbers (you can use md5(), uniqueid(), and rand() for that) and insert the random password into the database. Then send them an email with the randomly generated password. Then, when they log into their account they can change it to whatever they want.

Share this post


Link to post
Share on other sites
u dont get what im trying to acomplish im making a page to recover there password and i dont have info that i can use from the user to make sure thats the user but i could send the user an email then put a random number in to the database then send them a link like

http://site.com/changepass.php?id=**&email=***@****.com&confirmnum=this_is_the_random_num

both the id and the random number are somthing that they cant get just by looking at the profile

Share this post


Link to post
Share on other sites
if you encrypted the password with SHA() or MD5() [b]YOU CANNOT DECRYPT IT[/b]. That's kind of "the point."

I'm sure there's a function called encode() and decode() that allows it to be decoded, but if it can be decoded that defeats the purpose.

Like I said before, if they forget their password have a place for them to put in their email address and it'll send the username and newly random password to the email. Then they can change it by logging in.

When you told someone to make a page to change the password, were you talking to me?

Share this post


Link to post
Share on other sites
dude ur like reading all my post backwards arnt u

im goin to make a changepass.php then give them a link
to it in the email that has their id email and confirm number in the url
then randomly make a number which will be the confirm on the lostpass page and store it

i was wonderin if it would work good

Share this post


Link to post
Share on other sites
[code]
<?php
if (isset($_POST['submitted'])) {
   $errors = array();
   if (empty($_POST['email'])) {
       $errors[] = 'You did not enter an email address.';
   }
   else {
       $email = $_POST['email'];
   }
   if (empty($errors)) { //
       // First, make sure the email address exists
       $query = "SELECT user_id FROM users WHERE email='$email'";
       $result = mysql_query($query);
       if (mysql_num_rows($result) == 1) { // Found it
           $row = mysql_fetch_array($result, MYSQL_NUM);
           $id = $row[0];
           // Now, create a new, random password
           $new_pass = subtr(md5(uniqid(rand(),1)), 3, 10);
           $query = "UPDATE users SET password='$new_pass' WHERE user_id='$id'";
            $result = mysql_query($query);
           if ($result) {
               // Send an email
               $body = "Your password for website has been changed to $new_pass. Log in to change it.";
               mail($email, 'Your Password has been changed', $body, 'From: Admin');
               echo 'You have been emailed a temporary password.';
          }
          else {
              echo mysql_error();
          }
       }
       else {
           echo 'Your email did not correspond with any emails on record.';
       }
   }
   else {
       foreach ($errors as $msg) {
           echo '<li> '.$msg.'</li>';
       }
   }
}
else {
   echo '<form action="thisfile.php" method="post">
   <b>Email</b> <input type="text" name="email">
   <input type="hidden" name="submitted" value="TRUE">
   <input type="submit" name="submit" value="Submit"></form>';
}
?>
[/code]

Share this post


Link to post
Share on other sites
I just posted that above.

EDIT: And you would want to make sure you do something about $email so it doesn't just get chucked into the database. Some sort of escape function.

Share this post


Link to post
Share on other sites
ok heres the code
[code]
<?php
$confirmnum = subtr(md5(uniqid(rand(),1)), 3, 10);
?>
[/code]
heres the error

[code]
Fatal error: Call to undefined function: subtr() in /home/dreamsh/public_html/lostpass.php on line 141
[/code]

Share this post


Link to post
Share on other sites
it's supposed to be substr, i made a typo.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.