please help. !!

[georgebates]

Hi there,

 

I got this login/registration script from a website and it encrypts the passwords before entering them into the database. I am making a lost password section and need to decrypt the password now but im not sure how too.

 

This is the code that they use to encrypt the password:

 

// here we encrypt the password and add slashes if needed
$_POST['pass'] = md5($_POST['pass']);
if (!get_magic_quotes_gpc()) {
$_POST['pass'] = addslashes($_POST['pass']);
$_POST['username'] = addslashes($_POST['username']);
}

[rajivgonsalves]

You cannot decrypt a hash password as it is one way encryption, you could do a custom encryption or give a reset password functionality

[georgebates]

how would i do that?

 

[rajivgonsalves]

for reset a password you create a table that stores the req, say

 

username, request_hash

 

request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash

 

once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password.

 

hope the explaining was useful

[blueman378]

for reset a password you create a table that stores the req, say

 

username, request_hash

 

request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash

 

once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password.

 

hope the explaining was useful

 

Hey rajiv, long time no see,

 

anyway for a password reset you wouldnt check it against the current password as they have forgotten it. simply add a field email or something similar, basically just another identification string that is included in the url so they cant guess them

 

[MisterWebz]

Or you could just delete the old one and send them a random generated password.

[FaT3oYCG]

what is better is to ask them for their email address or username and then send an email to the relevant email with a link to a page that will allow them to enter a new password, as thy shoudl be the only person with their email details they should be the only person with the relevant link that you send which may be checked by submiting a php page and checking the string requested from a databse which expires after so long etc.

[rajivgonsalves]

for reset a password you create a table that stores the req, say

 

username, request_hash

 

request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash

 

once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password.

 

hope the explaining was useful

 

Hey rajiv, long time no see,

 

anyway for a password reset you wouldnt check it against the current password as they have forgotten it. simply add a field email or something similar, basically just another identification string that is included in the url so they cant guess them

 

 

doing good sorry about that I totally did not see it was a forgot password lol, you could reset the password and send it some random generated password as mentioned above I think that will be the best