Reset password feature

[joesaddigh]

Hi,

 

I have a reset password feature where by a user will select a link 'forgotten password' and they will input their email, the password will then be sent to the email address.

 

This works fine. However when i try and login using this newly reset password it does not work using the login form.

 

If i hardcode the password into the logincheck (This is the script that runs when the user logs in) it works.

 

This problem does not seem to make any sense because i have even printed out the password that I am inputting into the form and it is exactly the same as if i hardcode it.

 

I am using MD5 to encrypt the passwords. Not sure if this would make a difference. I don't think it should as it works fine everywhere on my site.

 

Any help would be much appreciated as this problem makes no sense.

 

If you wish to see my code then please let me know

 

Thanks

 

[Zhadus]

When you email the person the reset password and update the database with the reset password, make sure you're using the same sequence as the normal registration.

 

To verify, view what the password states (with md5) in the database, on the login page, have it output the encrypted password you type in and compare the two. If they are different, one of them is adding a quote or slash etc. in there.

[joesaddigh]

As far as i can see it does do it in the same sequence.

 

For example below is the initial script that gets run once the user enters their email address and selects the submit button. This generates a password (not shown here) updates the database (using MD5) then sends them the password generated.

 

$query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'";		

mysql_query($query, $conn)
	or die('Could not change password for username ' .$username);


//Set the message to tell the user that the two passwords do not match
$success = 'Password reset successful. Your new password has been sent to your email address';

//Email student with new password
include 'forgottenpasswordsendmail.php';

 

 

Once this is complete the database is updated then they follow the normal process of logging in which executes this logincheck script (Below)

 

session_start();

//Use the connect script to connect to CIS School database
require "connectstudent.php";

//Use the student data to connect to the database
$dbuser = $_POST["user"];
$dbpass = $_POST["password"];
$dbhost = 'localhost';
$dbname = 'CISSchool';		

//Build the query checking the username and passowrd entered is correct
$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'";

$result = mysql_query($query, $conn)
	or die ("Unable to perform query. <br/> $query <br/>"  . mysql_error());

//Retrieve the data that is stored in the array
$row= mysql_fetch_array($result);

//If there is a match then take them to the student page
if ($row != null)
{	
	$_SESSION["user"] = $row['StudentUsername'];
	$_SESSION["name"] = $row['StudentFirstName'] .' ' .  $row['StudentSurname'];
	header("Location: Student/studenthome.php");
	exit();
}
//Else display error message and navigate to homepage
else 
{	
	//Pass this message to the index screen to let the user know they have incorrect login details
	$message = 'Invalid user name or password, please try again';
	header("Location: index.php? message=$message");
	exit();		
}

 

Sorry but i really am stuck with this one!

[Zhadus]

Show the code where it updates the database with the password it generates.

[joesaddigh]

<?php 
$username = $_POST['email']; 
require 'connectadmin.php';

//Generate the password
include "generatepassword.php";
$password = generatePassword();	

$query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'";		

mysql_query($query, $conn)
	or die('Could not change password for username ' .$username);


//Set the message to tell the user that the two passwords do not match
$success = 'Password reset successful. Your new password has been sent to your email address';

//Email student with new password
include 'forgottenpasswordsendmail.php';


header("Location: forgottenpassword.php? success=$success");
mysql_close($conn);
exit();			            
?>

[Zhadus]

Are you hardcoding $dbpass when you were talking about 'hardcoding the password'?

[joesaddigh]

Yes

 

Litterally taking the password which is being emailed and hardcoding it instead of $dbpass

 

So for example this is how it is originally (Does not work)

 

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'";

 

Below Works

 

$query = "select * from student where StudentUsername ='".."' and StudentPassword = '".md5('password')."'";

[mrMarcus]

can you post more, ie. generatepassword.php

 

have you echo'd out $username and $password and compared them to what's in the database?

 

with no guarantee that your update query is going to work all the time, $success should really only be set if the desired result(s) are returned, so you should really set $success with an 'if' statement.  as well as your query .. it should only be executed if certain conditions are met, ie. a submit button is clicked, etc.

[DjMikeS]

Dude...before you continue....

 

You really really really really need sanitize your data before sending it to the database...!

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

 

I cannot emphasize this enough... a simple:

<?php $var = mysql_real_escape_string($_POST['var']); ?>

will already do the trick...

 

Furthermore....is the password that you sent the same as the one that gets inserted into the database?

[mikesta707]

this seems like it should work... try md5ing the variable before you pass in into the mysql maybe??

 

$dbpass = md5($dbpass);
$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".$dbpass."'";

 

maybe something like that?

[DjMikeS]

Ok,

 

What is it? A quote from your code:

$query = "UPDATE student SET StudentPassword =MD5('".$password."') WHERE StudentUsername ='".$username."'";      
   
   mysql_query($query, $conn)
      or die('Could not change password for username ' .$username);

 

But I also hear you talking about $dbpass....??

What's up with that ?

[mrMarcus]

You really really really really need sanitize your data before sending it to the database...!

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

ya, i was going to suggest that once this other matter has been sorted out.

 

just waiting to hear if the passwords are what they are supposed to be before spending any more brainpower on this one.

[joesaddigh]

Wow - Lots of posts

 

I know i need to sort it out for sql injections and stuff so thanks i will do this at some point before it goes live.

 

 

The password that is being sent is the same as the one in the database

 

obviously if i look at the password in the db  i cannot see it as it is encrypted however if  i hardcode the password that is sent via email into the login check it works!

 

By the way this login does work normally it is only sinse i have added this forgotten password feature that it has a problem and i have not changed the logincheck as i didn't need to.

 

I have posted all of the code that surrounds this problem. If somebody wants to look at something specific then i will post it

 

Thanks guys

 

 

 

 

[mikesta707]

show us the code that sends the email, and the code the creates the password

[joesaddigh]

Send email

 

<?php 
$headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: info@cisschool.co.uk' . "\r\n";	
  
if (mail($username,"New password","Your password has been reset. Your new password is: ".$password ,$headers))
{
		echo("<p>Message successfully sent!</p>");
}
else
{
		echo("<p>Message delivery failed...</p>");
}       
?>

 

 

Generate the password - This works in other areas

 

<?php
//Function used to generate a random password
function generatePassword ($length = 
{	
  // start with a blank password
  $password = "";

  // define possible characters
  $possible = "0123456789bcdfghjkmnpqrstvwxyz"; 

  // set up a counter
  $i = 0; 

  // add random characters to $password until $length is reached
  while ($i < $length) { 

	// pick a random character from the possible ones
	$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);

	// we don't want this character if it's already in the password
	if (!strstr($password, $char)) { 
	  $password .= $char;
	  $i++;
	}

  }
  //echo "The random password generated is " . $password;	
  return $password; 
}
?>

 

Thanks

[mrMarcus]

well, if the password is 8 or more characters, it's set to "" .. aka blank.

[mrMarcus]

echo out your queries, ie.

echo $query;

on both your update and select .. see what you get.

[mikesta707]

try echoing the query before you execute it. Or try md5'ing the password string before you pass it into the sql. I did a very similar script to yours, and mine worked fine. THe only real difference is that I md5'ed the password before storing it

[mikesta707]

well, if the password is 8 or more characters, it's set to "" .. aka blank.

 

how is that?

[mrMarcus]

well, if the password is 8 or more characters, it's set to "" .. aka blank.

 

how is that?

<?php
   //Function used to generate a random password
   function generatePassword ($length = 
   {   
     // start with a blank password
     $password = ""; <------------------blank;
   
     // define possible characters
     $possible = "0123456789bcdfghjkmnpqrstvwxyz"; 
      
     // set up a counter
     $i = 0; 
      
     // add random characters to $password until $length is reached
     while ($i < $length) { 
   
      // pick a random character from the possible ones
      $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
         
      // we don't want this character if it's already in the password
      if (!strstr($password, $char)) { 
        $password .= $char;
        $i++;
      }
   
     }
     //echo "The random password generated is " . $password;   

     return $password; //<---------- return blank password;
   }
?>

[joesaddigh]

I think that just initialises the password vairable?

[mrMarcus]

I think that just initialises the password vairable?

it also returns it.

[premiso]

well, if the password is 8 or more characters, it's set to "" .. aka blank.

 

I think you are mis-interpreting the code. The $password should return, as he stated it is just initializing the $password variable, which is what you should do.

 

But back on topic.

 

What is going on? Are you updating with a new password, but yet you cannot login with that password. Right?

 

Have you tried and trim the password variable that comes from the login form before checking it against the DB?

Are you using the MySQL MD5 function for the checking against the DB? Or the PHP, as they may return different variables. You need to be consistent with those.

 

EDIT:

Given this code:

   $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'";

 

Try this instead:

   $query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = MD5('". $dbpass ."')";

 

And see if it lets you in. If that fails, try this for trimming the variable then checking:

   $dbpass = trim($dbpass); // remove extra whitespaces that may come.
$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = MD5('". $dbpass ."')";

 

EDIT EDIT:

 

The basic gist, stick with either the php md5 or the MySQL, do not mix and match as they will most likely yield different values. Stay consistent.

[mrMarcus]

hold on .. i take that back .. i'm just having a hard time following your code.

 

my apologies.

[mikesta707]

I think that just initialises the password vairable?

it also returns it.

 

nah thats wrong.

 

i think premiso is right. you may be having a problem with mysql's md5 function. Try using php's md5 function, and then just insert the info with mysql