Jump to content


Photo

PHP MySQL password=PASSWORD('') Problem


  • Please log in to reply
1 reply to this topic

#1 eamartin

eamartin
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 10 December 2003 - 09:27 PM

Hi,

I have a user administration page that I\'m having some problems with. I have an HTML form in my code, that is reused to add users and edit users. When I do an edit, the form loads the variables from the database, and everything is shown, except the password. My statement to update or insert into the database contains the following:

UPDATE user SET uname=\'$uname\',password=PASSWORD(\'$password\')...

The problem really comes from my values that are loaded when doing an edit. Since the password is entered into the database encrypted, when I pull the value from the database and auto-populate the form with it, it\'s the encrypted version. So if I don\'t also type in a new password in the edit screen, the old password is lost and I have to reset it anyway. To gather my edit values, I do something like this:

$sql = \"SELECT * FROM user WHERE user_id=$user_id\";
$result = mysql_query($sql);
$myrow = mysql_fetch_array($result);
$user_id = $myrow[\"user_id\"];
$uname = $myrow[\"uname\"];
$password = $myrow[\"password\"];
$email = $myrow[\"email\"];
$ulevel = $myrow[\"ulevel\"];

And then in my form, I echo the $password. I\'m thinking that if in the above section, I could some how integrate the password=PASSWORD(\'\') portion of the code, it would translate it back correctly, but I\'m not sure how to do it. Any ideas?

Thanks in advance for any and all help!

#2 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,664 posts
  • LocationLos Angeles, CA USA

Posted 10 December 2003 - 10:22 PM

I think your approach is a bit flawed. There is no value in you having the password on the form as an admin. The reason you encrypt the password is to secure it... even from yourself as an admin.

The only function you should reserve for yourself as an admin, is the ability to reset the password for the user manually. You should just have a function of your system that lets you supply a new password, and have that stored as the user\'s new password. I don\'t expect that this is something that should be needed very often, if you have adequate self-help functions allowing a user to set a new password for themselves, using some combination of their registered email, or password hints they provide when they set the account up.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users