User log in

[Darnel]

Hi, I'm having some problems with this code. I have a password reset utility code which works and encrypts the password with md5 by using the password recovery page.

But in order for a user with a reset password to login I have to use this code in my page.

 $username = addslashes($_POST['username']);
   $salt = 'random_stuff_15545';
       $password = md5($_POST['password'].$salt);

 

But when I have this code above the users that have NOT reset their passwords can NOT log in.

 

So for these users who have not reset their password i use this code[but with this code the users that reset their pass cannot log in]:

 $username = addslashes($_POST['username']);
       $password = md5($_POST['password']);

 

How can I allow both types of users to log in? Cheers

 

[mikesta707]

Is there a specific reason you salt one password but not the other? why not just salt both or salt neither...

[Darnel]

If I understand right all the passwords are salt'ed in my database. The problem is when a user resets their password they can no longer log if there is no $salt. And if I do have $salt then the normal users can't log in. 

 

sorry i'm new at this

[mikesta707]

Well the first thing you need to do is check to see if all passwords are indeed salted before you add them into your database. I would check your registration script to find this out.

 

If they are (and I suspect they are not, or at least they use a different salt) than your login script with the salt should work, theoretically.

[Darnel]

Ah I found the problem since for some reason I have two registration forms and in one the $salt was missing so now I have a database with some salted and some not salted passwords. Is there a way to update all my password fields in mysql?

[mikesta707]

Not really. Since you used a Hash there is no way to take the hashed string and return it to its original string, so unless you know all the passwords to all the accounts, and can go through each 1 by 1, comparing the hashed password to the hash you have in the table, I don't really see a way of rectifying the situation, short of clearing the database and starting over. Is your website in production? Or are you just testing it? If its in production, and the usernames and passwords are from actual users, I guess you learned the lesson to always fully test your features before you unveil them to the public

[Darnel]

Not really. Since you used a Hash there is no way to take the hashed string and return it to its original string, so unless you know all the passwords to all the accounts, and can go through each 1 by 1, comparing the hashed password to the hash you have in the table, I don't really see a way of rectifying the situation, short of clearing the database and starting over. Is your website in production? Or are you just testing it? If its in production, and the usernames and passwords are from actual users, I guess you learned the lesson to always fully test your features before you unveil them to the public

 

Yes the website is live I bought it from someone else...

 

I updated everything so all new users will be alright. As for the old users they will not be able to log in until they reset their password using the forgot password  link. I guess I got F*****  .

Lesson learned and experience gained in the process. Thanks for your help clearing this mess I really appreciate it.