Jump to content

getting passwords from the database


BillyBoB

Recommended Posts

I think if you perhaps register a new user, and then take switch the MD5 hash for the new user with the user who lost his/her password, and then send them the password you used for the new user, you should be good.

Worked fine for me. ^^
Link to comment
Share on other sites

To BillyBob, you shouldn't send information through the $_GET url--it's not secure. You don't want the user to be able to just view all the stuff, especially if you are submitting things in hidden fields you DONT want the user to change.

Here's an example:
[code]
<?php
if (isset($_POST['submitted'])) {
   if (!empty($_POST['username'])) {
       $username = $_POST['username'];
   }
   else {
       echo 'You did not enter a username.';
       die();
   }
   if (!empty($_POST['password'])) {
       $password = $_POST['password'];
   }
   else {
       die ('You did not type a password!');
   }
   $query = "SELECT * FROM users WHERE username='$username' AND password=SHA('$password')";
   $result = mysql_query($query);
   if (mysql_num_rows($result) == 1) {
       // Set cookies or sessions here
       echo 'You have been logged in!';
   }
   else {
       echo 'Your username and password did not match any in record.';
   }
}
else {
   echo '<form action="file.php" method="post">
   <b>Username:</b> <input type="text" name="username">
   <b>Password:</b> <input type="password" name="password">
   <input type="hidden" name="submitted" value="TRUE">
   <input type="submit" name="submit" value="Log In">
   </form>';
}
?>
[/code]

Then, when you register the user, insert SHA('$password') into the database. That way, if someone gains access to the database they can't just log in to people's accounts.

You would, of course, want to do something to validate $username and $password to protect from mysql_injection. I have an escape_data function I created for that, you can let me know if you want me to post it.
Link to comment
Share on other sites

if i made the script make a new pass the new pass for the lost pass would always be the same that way anyone with any smarts could just do the lost pass word for all members with there email from there profile then it would have changed the pass on the database and they could enter it in. see what im saying
Link to comment
Share on other sites

^ No, you shouldn't do that. As you said, someone would figure it out.

You should create a random string of letters and numbers (you can use md5(), uniqueid(), and rand() for that) and insert the random password into the database. Then send them an email with the randomly generated password. Then, when they log into their account they can change it to whatever they want.
Link to comment
Share on other sites

u dont get what im trying to acomplish im making a page to recover there password and i dont have info that i can use from the user to make sure thats the user but i could send the user an email then put a random number in to the database then send them a link like

http://site.com/changepass.php?id=**&email=***@****.com&confirmnum=this_is_the_random_num

both the id and the random number are somthing that they cant get just by looking at the profile
Link to comment
Share on other sites

if you encrypted the password with SHA() or MD5() [b]YOU CANNOT DECRYPT IT[/b]. That's kind of "the point."

I'm sure there's a function called encode() and decode() that allows it to be decoded, but if it can be decoded that defeats the purpose.

Like I said before, if they forget their password have a place for them to put in their email address and it'll send the username and newly random password to the email. Then they can change it by logging in.

When you told someone to make a page to change the password, were you talking to me?
Link to comment
Share on other sites

dude ur like reading all my post backwards arnt u

im goin to make a changepass.php then give them a link
to it in the email that has their id email and confirm number in the url
then randomly make a number which will be the confirm on the lostpass page and store it

i was wonderin if it would work good
Link to comment
Share on other sites

[code]
<?php
if (isset($_POST['submitted'])) {
   $errors = array();
   if (empty($_POST['email'])) {
       $errors[] = 'You did not enter an email address.';
   }
   else {
       $email = $_POST['email'];
   }
   if (empty($errors)) { //
       // First, make sure the email address exists
       $query = "SELECT user_id FROM users WHERE email='$email'";
       $result = mysql_query($query);
       if (mysql_num_rows($result) == 1) { // Found it
           $row = mysql_fetch_array($result, MYSQL_NUM);
           $id = $row[0];
           // Now, create a new, random password
           $new_pass = subtr(md5(uniqid(rand(),1)), 3, 10);
           $query = "UPDATE users SET password='$new_pass' WHERE user_id='$id'";
            $result = mysql_query($query);
           if ($result) {
               // Send an email
               $body = "Your password for website has been changed to $new_pass. Log in to change it.";
               mail($email, 'Your Password has been changed', $body, 'From: Admin');
               echo 'You have been emailed a temporary password.';
          }
          else {
              echo mysql_error();
          }
       }
       else {
           echo 'Your email did not correspond with any emails on record.';
       }
   }
   else {
       foreach ($errors as $msg) {
           echo '<li> '.$msg.'</li>';
       }
   }
}
else {
   echo '<form action="thisfile.php" method="post">
   <b>Email</b> <input type="text" name="email">
   <input type="hidden" name="submitted" value="TRUE">
   <input type="submit" name="submit" value="Submit"></form>';
}
?>
[/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.