georgebates Posted November 28, 2009 Share Posted November 28, 2009 Hi there, I got this login/registration script from a website and it encrypts the passwords before entering them into the database. I am making a lost password section and need to decrypt the password now but im not sure how too. This is the code that they use to encrypt the password: // here we encrypt the password and add slashes if needed $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); $_POST['username'] = addslashes($_POST['username']); } Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 28, 2009 Share Posted November 28, 2009 You cannot decrypt a hash password as it is one way encryption, you could do a custom encryption or give a reset password functionality Quote Link to comment Share on other sites More sharing options...
georgebates Posted November 28, 2009 Author Share Posted November 28, 2009 how would i do that? Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 28, 2009 Share Posted November 28, 2009 for reset a password you create a table that stores the req, say username, request_hash request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password. hope the explaining was useful Quote Link to comment Share on other sites More sharing options...
blueman378 Posted November 28, 2009 Share Posted November 28, 2009 for reset a password you create a table that stores the req, say username, request_hash request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password. hope the explaining was useful Hey rajiv, long time no see, anyway for a password reset you wouldnt check it against the current password as they have forgotten it. simply add a field email or something similar, basically just another identification string that is included in the url so they cant guess them Quote Link to comment Share on other sites More sharing options...
MisterWebz Posted November 28, 2009 Share Posted November 28, 2009 Or you could just delete the old one and send them a random generated password. Quote Link to comment Share on other sites More sharing options...
FaT3oYCG Posted November 28, 2009 Share Posted November 28, 2009 what is better is to ask them for their email address or username and then send an email to the relevant email with a link to a page that will allow them to enter a new password, as thy shoudl be the only person with their email details they should be the only person with the relevant link that you send which may be checked by submiting a php page and checking the string requested from a databse which expires after so long etc. Quote Link to comment Share on other sites More sharing options...
rajivgonsalves Posted November 29, 2009 Share Posted November 29, 2009 for reset a password you create a table that stores the req, say username, request_hash request hash will be something you generate, like md5(time().$username) or any combination store it in the database, make another page to handle password reset, send a link to the user in his/her email something like reset.php?hash=request_hash once the user comes to your reset page check for which user does the hash exists for, give him/her a prompt to enter existing password and new password, check the existing password with the database (same as you did with login) if it checks out correct change the password. hope the explaining was useful Hey rajiv, long time no see, anyway for a password reset you wouldnt check it against the current password as they have forgotten it. simply add a field email or something similar, basically just another identification string that is included in the url so they cant guess them doing good sorry about that I totally did not see it was a forgot password lol, you could reset the password and send it some random generated password as mentioned above I think that will be the best Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.