daneth1712 Posted August 6, 2009 Share Posted August 6, 2009 Hi guys, I am having a couple of problems with a 'forgot my password' script. the previous form page has 3 fields, username, secret_question, and secret_answer. What I want to be able to do is check these fields againt the db, and change the current password (which is set to md5) with the answer of their secret question. for this new password to then be emailed to them, so they can login and change the password if they wish. The problem I am having is the new password is not being stored in teh db, and the field in the email where it should display their new password is coming out blank. The code I have for this is below, <?php $username=($_POST['username']); $secretq=($_POST['secrect_question']); $secretanswer=($_POST['secrect_answer']); $secreta=($_POST['secrect_answer']); $secans = md5($secreta); //send back to previous page if called from other location or empty if (!isset($username) || !isset($secretq) || !isset($secreta)) { header( "Location: remember.html" ); } elseif (empty($username) || empty($secretq) || empty($secreta)) { header( "Location: remember.html" ); } //connect to the database include 'includes/config.php'; $db = mysql_connect("$hostname", "$adminuser", "$adminpass") or die ("Error connecting to database."); mysql_select_db("$database", $db) or die ("Couldn't select the database."); $result=mysql_query("UPDATE userinfo SET password='$secans' WHERE username='$username' AND secret_question='$secretq' AND secret_answer='$secreta'", $db); if($result){ $to=$username; $subject="Here is your new password"; $header="from: Company <[email protected]>"; $messages= "Please find below your password to login into www.company.co.uk. \r\n"; $messages.="Your password is $secretanswer \r\n"; $sentmail = mail($to,$subject,$messages,$header); } // if no result found elseif (!$result){ header( "Location: error_remember.html" ); } // else if $count not equal 1 else { header( "Location: error_remember.html" ); } // if email succesfully sent if($sentmail){ header( "Location: password_successful.php" ); } else { header( "Location: error_remember.html" ); } ?> Any help is very much appeciated. Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/ Share on other sites More sharing options...
smerny Posted August 6, 2009 Share Posted August 6, 2009 it looks like you are spelling secret wrong... or is that the same as the name of the input fields? Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/#findComment-891778 Share on other sites More sharing options...
cunoodle2 Posted August 6, 2009 Share Posted August 6, 2009 According to the script that I am reading here the users new password will be the answer to their secret question. That does not seem secure at all. Some random person could potentially just guess a secret questions answer (some peoples are soooo easy) so I would honestly look at trying a different method there. my 2 cents Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/#findComment-891906 Share on other sites More sharing options...
smerny Posted August 6, 2009 Share Posted August 6, 2009 According to the script that I am reading here the users new password will be the answer to their secret question. That does not seem secure at all. Some random person could potentially just guess a secret questions answer (some peoples are soooo easy) so I would honestly look at trying a different method there. my 2 cents well besides the secret answer, the new password is also sent to the persons email address... so unless the persons email address is widely accessible, it's not a security issue... the question just stops random people from resetting passwords and getting the site to send you a ton of emails Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/#findComment-891912 Share on other sites More sharing options...
daneth1712 Posted August 6, 2009 Author Share Posted August 6, 2009 Hi smerny, thanks for pointing that out, its always the simple parts that are missed cunoodle - yes its not ideal, but it will work for me for now... that is until I work out how to auto generate a random md5 password and update the db with it.... Thanks Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/#findComment-891959 Share on other sites More sharing options...
cunoodle2 Posted August 6, 2009 Share Posted August 6, 2009 well besides the secret answer, the new password is also sent to the persons email address... so unless the persons email address is widely accessible, it's not a security issue... the question just stops random people from resetting passwords and getting the site to send you a ton of emails Unless he has more code than what is written here you are completley wrong. In the code example in his first post it says... <?php if($result){ $to=$username; $subject="Here is your new password"; $header="from: Company <[email protected]>"; $messages= "Please find below your password to login into www.company.co.uk. \r\n"; $messages.="Your password is $secretanswer \r\n"; $sentmail = mail($to,$subject,$messages,$header); } ?> So if you read the code you will see that he just emails them the "secret answer" and never actually sends them a "real" password. He just states that the user COULD then update their password "if they wish" (<<-- that is a direct quote from the original post. What I am saying is that someone could sit there... guess at the answer to the question and upon getting it right would then be able to immediately log into that account because they would now know the password. This is EXTREMELY poor site security Link to comment https://forums.phpfreaks.com/topic/169020-help-with-md5-update-and-email/#findComment-892238 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.