papillonstudios Posted August 31, 2009 Share Posted August 31, 2009 I am adding a secret question feature to my CMS. But I'm not sure how to go about it. I have the registration form asking to enter one. But how would i go about using it on my password reset page. What i need it to do is pull the question for the user thats wanting to reset the pass. and display it and then cross reference the answer to the question with the answer in the database. Would i use URL variables, or what? Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/ Share on other sites More sharing options...
Garethp Posted August 31, 2009 Share Posted August 31, 2009 Uh, POST variables ofcourse. Look here, if you will. Just your ordinary SELECT * FROM `members` WHERE Answer='$Answer' After you sanitize your answer, naturally Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909741 Share on other sites More sharing options...
mikesta707 Posted August 31, 2009 Share Posted August 31, 2009 When I did this, I stored the question in my database also, and stored the answer as an MD5 hash. As gareth said its pretty much just a simple query to get the information you want. not too hard Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909742 Share on other sites More sharing options...
papillonstudios Posted August 31, 2009 Author Share Posted August 31, 2009 heres what i got so far Currently i dont md5 hash the answer. <?php if (!$_GET['email']) { if (!$_POST['lost_pass']) { //the form hasn't been submitted, we make it echo '<form method="post" action="index.php?action=forgot"> <fieldset> <legend>Forgot Password</legend> <table> <tr><td>Email </td></tr><tr><td>'.form_input(text,email).'</td></tr> </table> </fieldset> <p><input type="submit" name="lost_pass" value="Continue ->"></p> </form>'; }else{ $email = isEmail($_POST['email']); $sql = "SELECT * FROM users WHERE email = '".$email."'"; $checkmail = mysql_query($sql) or die(mysql_error()); //the above lines look for the email address in the member table if (mysql_num_rows($checkmail) == "0") { exit("We can't find that email address in our member database, please make sure you entered the correct address"); } } }else{ if (!$_POST['answer']) { //the form hasn't been submitted, we make it echo '<form method="post" action="index.php?action=forgot"> <fieldset> <legend>Forgot Password</legend> <table> <tr><td><i>'..'</i></td></tr> <tr><td>Secret Question Answer </td></tr><tr><td>'.form_input(password,answer).'</td></tr> </table> </fieldset> <p><input type="submit" name="answer" value="Continue ->"></p> </form>'; }else{ $answer = isEmail($_POST['answer']); $sql = "SELECT * FROM users WHERE answer = '".$answer."'"; $checkmail = mysql_query($sql) or die(mysql_error()); //the above lines look for the email address in the member table if (mysql_num_rows($checkmail) == "0") { exit("We can't find that email address in our member database, please make sure you entered the correct address"); }else{ //if the email doesn't exist, tell the user it doesn't // *************************// // Random Password Generator // // *************************// $checkmail = mysql_fetch_array($checkmail); $user = $checkmail['username']; $totalChar = 7; // number of chars in the password $salt = "abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ123456789"; // salt to select chars from srand((double)microtime() * 1000000); // start the random generator $password = "0"; // set the inital variable for ($i = 0; $i < $totalChar; $i++) // loop and create password $password = $password . substr($salt, rand() % strlen($salt), 1); // *************************// // Display Password // // *************************// $encpass = sha1($password . SALT); $update = "UPDATE users set password ='$encpass' WHERE username ='$user'"; mysql_query($update) or die(mysql_error()); //change the member's password to the new generated one echo ('You Can Now login with this password.<br /> Your Password: '.$password.'<br /> After you Login, Click "Edit Profile", and change your password right away.<br /> Thank You for using the Isus CMS 2.0 Password Recovery Tool. '); } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909745 Share on other sites More sharing options...
Garethp Posted August 31, 2009 Share Posted August 31, 2009 And... does it work? Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909747 Share on other sites More sharing options...
Daniel0 Posted August 31, 2009 Share Posted August 31, 2009 I hate "secret questions". I can't find a question and an answer that loads of people couldn't guess or otherwise figure out. I usually just enter a bogus answer, like a secondary password. I think the concept of "secret" questions are ridiculous. Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909754 Share on other sites More sharing options...
Garethp Posted August 31, 2009 Share Posted August 31, 2009 Make them enter their own questions, that's what I would do. Also, I just enter random text that I'll never remember, simply because I never forget my password Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909755 Share on other sites More sharing options...
Daniel0 Posted August 31, 2009 Share Posted August 31, 2009 That's my point. If you enter a genuine question+answer then someone can probably guess it. If you don't then you are trying to circumvent the system. In either case it's useless. Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909760 Share on other sites More sharing options...
mikesta707 Posted August 31, 2009 Share Posted August 31, 2009 But daniel... secret questions love you Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909766 Share on other sites More sharing options...
papillonstudios Posted August 31, 2009 Author Share Posted August 31, 2009 then what do you recommend be doing instead of a secret question? and it doesnt quite work it pulls up the email form when you go to it but i when you submit it it doesnt go to like http://yourdomain/index.php?action=forgot&email=you@domain.com and when you go there manually it doesnt show the secret question. heres the most up to date code its a bit different. <?php if (!$_GET['email']) { if (!$_POST['lost_pass']) { //the form hasn't been submitted, we make it echo '<form method="post" action="index.php?action=forgot"> <fieldset> <legend>Forgot Password</legend> <table> <tr><td>Email </td></tr><tr><td>'.form_input(text,email).'</td></tr> </table> </fieldset> <p><input type="submit" name="lost_pass" value="Continue ->"></p> </form>'; }else{ $email = isEmail($_POST['email']); $sql = "SELECT * FROM users WHERE email = '".$email."'"; $checkmail = mysql_query($sql) or die(mysql_error()); //the above lines look for the email address in the member table if (mysql_num_rows($checkmail) == "0") { exit("We can't find that email address in our member database, please make sure you entered the correct address"); } } }else{ //Selecting the News From trhe Table news $query = "SELECT * FROM `users` WHERE email = ".$_GET['email'].""; $result = mysql_query($query); $row = mysql_fetch_assoc($result); if (!$_POST['answer']) { //the form hasn't been submitted, we make it echo '<form method="post" action="index.php?action=forgot"> <fieldset> <legend>Forgot Password</legend> <table> <tr><td><i>'.$row['question'].'</i></td></tr> <tr><td>Secret Question Answer </td></tr><tr><td>'.form_input(password,answer).'</td></tr> </table> </fieldset> <p><input type="submit" name="answer" value="Continue ->"></p> </form>'; }else{ $answer = isEmail($_POST['answer']); $sql = "SELECT * FROM users WHERE answer = '".$answer."'"; $checkmail = mysql_query($sql) or die(mysql_error()); //the above lines look for the email address in the member table if (mysql_num_rows($checkmail) == "0") { exit("We can't find that email address in our member database, please make sure you entered the correct address"); }else{ //if the email doesn't exist, tell the user it doesn't // *************************// // Random Password Generator // // *************************// $checkmail = mysql_fetch_array($checkmail); $user = $checkmail['username']; $totalChar = 7; // number of chars in the password $salt = "abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ123456789"; // salt to select chars from srand((double)microtime() * 1000000); // start the random generator $password = "0"; // set the inital variable for ($i = 0; $i < $totalChar; $i++) // loop and create password $password = $password . substr($salt, rand() % strlen($salt), 1); // *************************// // Display Password // // *************************// $encpass = sha1($password . SALT); $update = "UPDATE users set password ='$encpass' WHERE username ='$user'"; mysql_query($update) or die(mysql_error()); //change the member's password to the new generated one echo ('You Can Now login with this password.<br /> Your Password: '.$password.'<br /> After you Login, Click "Edit Profile", and change your password right away.<br /> Thank You for using the Isus CMS 2.0 Password Recovery Tool. '); } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/172579-php-secret-question/#findComment-909771 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.