Change Password Tool not Rehashing

[dyr]

Hi folks!  Upon registering, my register script runs an md5 hash on the password.  My problem is when the user wants to change passwords.  currently I have a very simple profile, and when they edit it, it doesn't rehash the password- it simply replaces the entire hashed old password with the plain, new password.  Any way I could get the script to rehash the password?

 

editprofile.php

<?php

include('config.php');
include('header.php');
if($_SESSION['id']=="") {
     header("Location: YouMustLogInNotice.html");
    }


if(isset($_POST['btnedit'])){
$callname = $_POST['callname'];
$email = $_POST['email'];
$password = $_POST['password'];

$sql = mysql_query( "UPDATE users SET callname='".$callname."', email='".$email."', password='".$password."' WHERE id='".$_SESSION['id']."'" );

if($sql){
echo "<script>alert('profile updated');window.location='myprofile.php?id=$userfinal'</script>";
}else{
echo "<script>alert('updating profile failed!');</script>";
}

}




$sql = mysql_query( "SELECT * FROM users WHERE id='".$_SESSION['id']."'" ); 
$row = mysql_fetch_array($sql);


$user = $userfinal;

echo "<td align=center>

<div id=box>
<table width='100%'>
<tr>
<td><h2>Edit profile</h2>
<form method='post'>
<table><tr><th>ID#:</th><td>".$user."</td></tr>
<tr><th>Name:</th><td><input type='text' name='callname' value='".$row['callname']."'/></td></tr>
<tr><th>Email:</th><td><input type='text' name='email' value='".$row['email']."'/></td></tr>
<tr><th>Password:</th><td><input type='password' name='password' value='".$row['password']."'/></td></tr>
<tr><th>Registered:</th><td>".$row['registered']."</td></tr>
<tr><th>Last Login:</th><td>".$row['lastlogin']."</td></tr>
</table><br />
<input type='submit' name='btnedit' value='update' class=button />
</form></div></td>
</tr>
</table>
</td></tr>
</table>";


?>
<?php

include('footer.php');

?>

[kicken]

Find the part of the code from your registration script that does the hashing and copy it over to your change password script so that it will do the same thing.

[Eiolon]

You are submitting it to the database in plain text.  There is no MD5 function in your code at all.

[NLT]

$password = $_POST['password'];

 

You're just posting the password. Add whatever hash you are using around it. So if you are using md5, it would be like this:

$password = md5(mysql_escape_string($_POST['password']));

So if the form was "test", it would insert "098f6bcd4621d373cade4e832627b4f6".

 

You should never submit raw POST data to the database for security reasons.

[xyph]

When you MD5 the POST data, you're removing any possible injection the user may have attempted.

 

md5(mysql_escape_string($_POST['password']));

is actually redundant.

[dyr]

Thanks guys, for some reason the md5($_POST['password'])); wasn't working earlier.  I guess I typo'd. 

 

Speaking of passwords, I have a forgot password tool.  But I've encrypted all passwords in md5 so there's no way to unencrypt them and send the user an email with the regular password.  So I was thinking of emailing the user a link that expires after x amount of time, and when they click on that from their email they can change their password.  I so far have the form/emailing portion down fine (form in forgot.php, clicking that runs it through a check  on forgotpass.php and message shows up 'it's been sent' or a form of an error message). 

 

However, I'm not sure how I would generate a random link that expires (showing them the reset password form) and updating the mySQL table.  Any help with this?  I'd really appreciate it.

 

forgotpass.php

<?php 
include('config.php');
echo "<form action=forgotpass.php method=post><input type=text placeholder=Email name=email size=17><br /><input type=submit name=submit value=submit class=button></form>";

$email=$_POST['email'];
$email=mysql_real_escape_string($email);
$status = "OK";
$msg="";
//error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR);

if (!stristr($email,"@") OR !stristr($email,".")) {
$msg="Your email address is not correct<BR>";
$status= "NOTOK";}


echo "<br><br>";
if($status=="OK"){ 
$query="SELECT email,id,password FROM users WHERE email = '$email'";
$st=mysql_query($query);
$recs=mysql_num_rows($st);
$row=mysql_fetch_object($st);
$em=$row->email;
if ($recs == 0) {
// let us show the error message 
echo "<center><font face='Verdana' size='2' color=red><b>No Password</b><br> Sorry Your address is not there in our database . You can signup and login to use our site. <BR><BR><a href='signup.php'> Sign UP </a> </center>"; 
exit;}

$headers4="[email protected]"; 
$headers.="Reply-to: $headers4\n";
$headers .= "From: $headers4\n"; 
$headers .= "Errors-to: $headers4\n"; 
//$headers = "Content-Type: text/html; charset=iso-8859-1\n".$headers;

if(mail("$em","Your Request for login details","This is in response to your request for login detailst at site_name \n \nLogin ID: $row->userid \n Password: $row->password \n\n Thank You \n \n siteadmin","$headers")){echo "<center><font face='Verdana' size='2' ><b>THANK YOU</b> <br>Your password is posted to your emil address . Please check your mail after some time. </center>";}

else{
echo " <center><font face='Verdana' size='2' color=red >There is some system problem in sending login details to your address. Please contact site-admin. <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";} 

} 
else {// Validation failed so show the error message 
echo "<center><font face='Verdana' size='2' color=red >$msg <br><br><input type='button' value='Retry' onClick='history.go(-1)'></center></font>";}

?>

[NLT]

I have created one previously - maybe you can work off it.

 

<?PHP 
/* ======================== */
/*   Password Reset Script  */ 
/* ======================== */


// File configuration
$connection['host'] = "localhost"; // Database host
$connection['user'] = "dbuser"; // Database username
$connection['password'] = "dbpass"; // Password
$connection['database'] = "dbname"; // Database name
$site = "http://website.url.com"; // URL to the directory your password script is in. Include the "http://"
$hashtype = "md5"; // Hash type in your database to update a users password
$filename = "password.php"; // Name of the file your script is located
$sitename = "Lol"; // Your site name
$email = "[email protected]"; // Your email



$connect = mysql_connect($connection['host'], $connection['user'], $connection['password']);
$connect = mysql_select_db($connection['database']);




if(isset($_GET['code'])) 
    {
        $hashcode = $_GET['code'];
        $lookforcode = mysql_query("SELECT * FROM `passrecovery` WHERE hash='". $hashcode ."'");
        if(mysql_num_rows($lookforcode) > 0)
            {
                $pcinfo = mysql_fetch_assoc($lookforcode);
                echo "Thanks, ". $pcinfo['username'] . ", your password has been sent to your mail account.";
                $newquery = mysql_query("SELECT * FROM `users` WHERE username='". $pcinfo['username'] ."'");
                $puinfo = mysql_fetch_assoc($newquery);
                $plain_password = substr (md5(uniqid(rand(),1)), 3, 10);
                $udpass = mysql_query("UPDATE `users` SET password='". $hashtype($plain_password) . "' WHERE username='". $puinfo['username'] ."'");
                // send mail
                $to = $puinfo['mail']; 
                $subject = "Your new password - ". $sitename;
                $message = "Your login information \r\nUsername: ". $puinfo['username'] ."\r\nPassword: ". $plain_password;
                $header = "From: ". $email;
                $sentmail = mail($to, $subject, $message, $header);
                $endquery = mysql_query("DELETE FROM `passrecovery` WHERE hash='". $hashcode ."'");
                
            }
        else
            {
                echo "Invalid key";
            }
    }
// Check if form has been submit already
elseif(isset($_POST['submit']))
    {
        // Look for their user
        $lookuser = mysql_query("SELECT * FROM `users` WHERE username='". mysql_escape_string($_POST['username']) ."'") or die(mysql_error());
        // If we find a row
        if(mysql_num_rows($lookuser) > 0)
            {
                $uinfo = mysql_fetch_assoc($lookuser);
                $chktable = mysql_query("SELECT * FROM `passrecovery` WHERE username='". mysql_escape_string($_POST['username']) ."'");
                if(mysql_num_rows($chktable)==0) 
                    {
                        $hash=md5(uniqid(rand()));
                        $query1 = mysql_query("INSERT INTO `passrecovery`(username, hash) VALUES ('". $uinfo['username'] ."', '". $hash ."')");
                        echo "Thank you, ". $uinfo['username'] .". Please check your email (It may appear in the Junk folder).";
                        $to = $uinfo['mail'];
                        $subject = "Password reset - ". $sitename; 
                        $header = "Content-type: text/html\r\n"; 
                        $header.= "From: ". $email;
                        $message="Your confirmation link<br>\r\n";
                        $message.="<a href=". $site ."/". $filename . "?code=". $hash . "> Click here to get a password sent to you.\r\n </a><br>";
                        $message.="If you cannot click the link, copy and paste this link to your URL bar..\r\n<br>";
                        $message.=$site ."/". $filename . "?code=". $hash;
                        $sentmail = mail($to, $subject, $message, $header);
                    }
            }
        // If no row was found
        else
            {
                echo "An error has occured. <br> If you are sure you entered your username correctly, please contact an administrator.";
            }
    }
else
    {
?>

<form method="post" action="<?php echo $site ."/". $filename; ?>"> 
<input type="text" name="username" /> 
<input type="submit" name="submit" value="Submit" />
</form>
<?PHP } ?>