joesaddigh Posted April 23, 2009 Share Posted April 23, 2009 Hi, I have a reset password feature where by a user will select a link 'forgotten password' and they will input their email, the password will then be sent to the email address. This works fine. However when i try and login using this newly reset password it does not work using the login form. If i hardcode the password into the logincheck (This is the script that runs when the user logs in) it works. This problem does not seem to make any sense because i have even printed out the password that I am inputting into the form and it is exactly the same as if i hardcode it. I am using MD5 to encrypt the passwords. Not sure if this would make a difference. I don't think it should as it works fine everywhere on my site. Any help would be much appreciated as this problem makes no sense. If you wish to see my code then please let me know Thanks Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/ Share on other sites More sharing options...
Zhadus Posted April 23, 2009 Share Posted April 23, 2009 When you email the person the reset password and update the database with the reset password, make sure you're using the same sequence as the normal registration. To verify, view what the password states (with md5) in the database, on the login page, have it output the encrypted password you type in and compare the two. If they are different, one of them is adding a quote or slash etc. in there. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817739 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 As far as i can see it does do it in the same sequence. For example below is the initial script that gets run once the user enters their email address and selects the submit button. This generates a password (not shown here) updates the database (using MD5) then sends them the password generated. $query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'"; mysql_query($query, $conn) or die('Could not change password for username ' .$username); //Set the message to tell the user that the two passwords do not match $success = 'Password reset successful. Your new password has been sent to your email address'; //Email student with new password include 'forgottenpasswordsendmail.php'; Once this is complete the database is updated then they follow the normal process of logging in which executes this logincheck script (Below) session_start(); //Use the connect script to connect to CIS School database require "connectstudent.php"; //Use the student data to connect to the database $dbuser = $_POST["user"]; $dbpass = $_POST["password"]; $dbhost = 'localhost'; $dbname = 'CISSchool'; //Build the query checking the username and passowrd entered is correct $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'"; $result = mysql_query($query, $conn) or die ("Unable to perform query. <br/> $query <br/>" . mysql_error()); //Retrieve the data that is stored in the array $row= mysql_fetch_array($result); //If there is a match then take them to the student page if ($row != null) { $_SESSION["user"] = $row['StudentUsername']; $_SESSION["name"] = $row['StudentFirstName'] .' ' . $row['StudentSurname']; header("Location: Student/studenthome.php"); exit(); } //Else display error message and navigate to homepage else { //Pass this message to the index screen to let the user know they have incorrect login details $message = 'Invalid user name or password, please try again'; header("Location: index.php? message=$message"); exit(); } Sorry but i really am stuck with this one! Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817752 Share on other sites More sharing options...
Zhadus Posted April 23, 2009 Share Posted April 23, 2009 Show the code where it updates the database with the password it generates. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817764 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 <?php $username = $_POST['email']; require 'connectadmin.php'; //Generate the password include "generatepassword.php"; $password = generatePassword(); $query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'"; mysql_query($query, $conn) or die('Could not change password for username ' .$username); //Set the message to tell the user that the two passwords do not match $success = 'Password reset successful. Your new password has been sent to your email address'; //Email student with new password include 'forgottenpasswordsendmail.php'; header("Location: forgottenpassword.php? success=$success"); mysql_close($conn); exit(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817784 Share on other sites More sharing options...
Zhadus Posted April 23, 2009 Share Posted April 23, 2009 Are you hardcoding $dbpass when you were talking about 'hardcoding the password'? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817798 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 Yes Litterally taking the password which is being emailed and hardcoding it instead of $dbpass So for example this is how it is originally (Does not work) $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'"; Below Works $query = "select * from student where StudentUsername ='".."' and StudentPassword = '".md5('password')."'"; Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817804 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 can you post more, ie. generatepassword.php have you echo'd out $username and $password and compared them to what's in the database? with no guarantee that your update query is going to work all the time, $success should really only be set if the desired result(s) are returned, so you should really set $success with an 'if' statement. as well as your query .. it should only be executed if certain conditions are met, ie. a submit button is clicked, etc. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817807 Share on other sites More sharing options...
DjMikeS Posted April 23, 2009 Share Posted April 23, 2009 Dude...before you continue.... You really really really really need sanitize your data before sending it to the database...! http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php I cannot emphasize this enough... a simple: <?php $var = mysql_real_escape_string($_POST['var']); ?> will already do the trick... Furthermore....is the password that you sent the same as the one that gets inserted into the database? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817808 Share on other sites More sharing options...
mikesta707 Posted April 23, 2009 Share Posted April 23, 2009 this seems like it should work... try md5ing the variable before you pass in into the mysql maybe?? $dbpass = md5($dbpass); $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".$dbpass."'"; maybe something like that? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817809 Share on other sites More sharing options...
DjMikeS Posted April 23, 2009 Share Posted April 23, 2009 Ok, What is it? A quote from your code: $query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'"; mysql_query($query, $conn) or die('Could not change password for username ' .$username); But I also hear you talking about $dbpass....?? What's up with that ? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817810 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 Quote You really really really really need sanitize your data before sending it to the database...! http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php ya, i was going to suggest that once this other matter has been sorted out. just waiting to hear if the passwords are what they are supposed to be before spending any more brainpower on this one. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817812 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 Wow - Lots of posts I know i need to sort it out for sql injections and stuff so thanks i will do this at some point before it goes live. The password that is being sent is the same as the one in the database obviously if i look at the password in the db i cannot see it as it is encrypted however if i hardcode the password that is sent via email into the login check it works! By the way this login does work normally it is only sinse i have added this forgotten password feature that it has a problem and i have not changed the logincheck as i didn't need to. I have posted all of the code that surrounds this problem. If somebody wants to look at something specific then i will post it Thanks guys Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817819 Share on other sites More sharing options...
mikesta707 Posted April 23, 2009 Share Posted April 23, 2009 show us the code that sends the email, and the code the creates the password Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817821 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 Send email <?php $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: info@cisschool.co.uk' . "\r\n"; if (mail($username,"New password","Your password has been reset. Your new password is: ".$password ,$headers)) { echo("<p>Message successfully sent!</p>"); } else { echo("<p>Message delivery failed...</p>"); } ?> Generate the password - This works in other areas <?php //Function used to generate a random password function generatePassword ($length = { // start with a blank password $password = ""; // define possible characters $possible = "0123456789bcdfghjkmnpqrstvwxyz"; // set up a counter $i = 0; // add random characters to $password until $length is reached while ($i < $length) { // pick a random character from the possible ones $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); // we don't want this character if it's already in the password if (!strstr($password, $char)) { $password .= $char; $i++; } } //echo "The random password generated is " . $password; return $password; } ?> Thanks Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817823 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 well, if the password is 8 or more characters, it's set to "" .. aka blank. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817828 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 echo out your queries, ie. echo $query; on both your update and select .. see what you get. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817831 Share on other sites More sharing options...
mikesta707 Posted April 23, 2009 Share Posted April 23, 2009 try echoing the query before you execute it. Or try md5'ing the password string before you pass it into the sql. I did a very similar script to yours, and mine worked fine. THe only real difference is that I md5'ed the password before storing it Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817833 Share on other sites More sharing options...
mikesta707 Posted April 23, 2009 Share Posted April 23, 2009 Quote well, if the password is 8 or more characters, it's set to "" .. aka blank. how is that? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817834 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 Quote Quote well, if the password is 8 or more characters, it's set to "" .. aka blank. how is that? <?php //Function used to generate a random password function generatePassword ($length = { // start with a blank password $password = ""; <------------------blank; // define possible characters $possible = "0123456789bcdfghjkmnpqrstvwxyz"; // set up a counter $i = 0; // add random characters to $password until $length is reached while ($i < $length) { // pick a random character from the possible ones $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); // we don't want this character if it's already in the password if (!strstr($password, $char)) { $password .= $char; $i++; } } //echo "The random password generated is " . $password; return $password; //<---------- return blank password; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817837 Share on other sites More sharing options...
joesaddigh Posted April 23, 2009 Author Share Posted April 23, 2009 I think that just initialises the password vairable? Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817838 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 Quote I think that just initialises the password vairable? it also returns it. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817840 Share on other sites More sharing options...
premiso Posted April 23, 2009 Share Posted April 23, 2009 Quote well, if the password is 8 or more characters, it's set to "" .. aka blank. I think you are mis-interpreting the code. The $password should return, as he stated it is just initializing the $password variable, which is what you should do. But back on topic. What is going on? Are you updating with a new password, but yet you cannot login with that password. Right? Have you tried and trim the password variable that comes from the login form before checking it against the DB? Are you using the MySQL MD5 function for the checking against the DB? Or the PHP, as they may return different variables. You need to be consistent with those. EDIT: Given this code: $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'"; Try this instead: $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = MD5('". $dbpass ."')"; And see if it lets you in. If that fails, try this for trimming the variable then checking: $dbpass = trim($dbpass); // remove extra whitespaces that may come. $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = MD5('". $dbpass ."')"; EDIT EDIT: The basic gist, stick with either the php md5 or the MySQL, do not mix and match as they will most likely yield different values. Stay consistent. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817848 Share on other sites More sharing options...
mrMarcus Posted April 23, 2009 Share Posted April 23, 2009 hold on .. i take that back .. i'm just having a hard time following your code. my apologies. Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817849 Share on other sites More sharing options...
mikesta707 Posted April 23, 2009 Share Posted April 23, 2009 Quote Quote I think that just initialises the password vairable? it also returns it. nah thats wrong. i think premiso is right. you may be having a problem with mysql's md5 function. Try using php's md5 function, and then just insert the info with mysql Quote Link to comment https://forums.phpfreaks.com/topic/155405-reset-password-feature/#findComment-817853 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.