Jump to content

Recommended Posts

Urm..I did have it working yesterday but the email was going into the spam folder.  I used this and its also working http://www.danbriant.com/wp-content/uploads/2010/03/passwordreset.txt

 

However it applies a rather tacky Javapscript pop up.  Is there anyway to change it so that a message is applied to a screen.

Urm..I did have it working yesterday but the email was going into the spam folder.  I used this and its also working http://www.danbriant.com/wp-content/uploads/2010/03/passwordreset.txt

 

Horrible script.  Short tags, use of ereg functions for the regex checks (which should be triggering warnings if you're using PHP 5.3+), regex instead of built-in filters (which have been available by default since 5.2 - http://www.php.net/manual/en/filter.examples.validation.php).

 

Does anyone know of any password reset scripts which dont feature Javapscript pop-ups and allow for password reset by the user.

 

The best one will be the one you write yourself.  You just need to slow down and learn the basics.  You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at.

 

The best one will be the one you write yourself.  You just need to slow down and learn the basics.  You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at.

 

If its so bad why are people on here recommending it?

 

Not to dispute what you are saying but I need to get going with this.  There must be a standard way to reset a password with an email?

 

What about this one. Is it any better?

 

http://stackoverflow.com/questions/394214/a-forgot-user-password-standard-class-or-script-in-php-mysql-environment

 

If you refuse to listen to the advice you've been given, don't be surprised when no one wants to help you anymore.

 

But why do I need to recreate the wheel when its been used many times over.  There must be a standard way of resetting a password by email.

 

I've paid for a script so that hasn't worked and someone has posted a script which someone has said is no good.  There must be a standard script which does the job?

 

The best one will be the one you write yourself.  You just need to slow down and learn the basics.  You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at.

 

If its so bad why are people on here recommending it?

 

A grand total of one person recommended it, and it was a poor recommendation.

 

Not to dispute what you are saying but I need to get going with this.  There must be a standard way to reset a password with an email?

 

What about this one. Is it any better?

 

http://stackoverflow.com/questions/394214/a-forgot-user-password-standard-class-or-script-in-php-mysql-environment

 

 

Yes, that's a better script.

 

The basic idea is this:

 

User clicks "Forgot Password" -> they are brought to a form where they're supposed to enter in their email address -> If the email address is in the system, stuff happens* and the email is sent -> user clicks on a link in the email, they're logged in and are brought to a form where they can enter in a new password.

 

*Basically, you need to create some sort of temporary password for the user and store it in the system.  You can either create a db table just for temp passwords (like the SO script does) or overwrite the user's existing password with the temp password.  That's up to you, and how you think it should work.

 

Regardless, the link present in the email should contain query string values ($_GET[]....) for the user's id and the temp password.  They should be obfuscated or hashed.

 

---

 

All that said, I'm still of the opinion that you desperately need to brush up on the basics.  Not knowing what a hash is (among other things) while attempting to create a system that handles user data is concerning.  I'm not saying this to pick on you, but rather as a security and privacy conscious end user.  Take your time if you don't understand how this all works.  Far better to go slow and do it right the first time than to slap something together and get a breach.  Remember - most users tend to use the same email and passwords for many sites.  That's one vector of identity theft and data loss - a small site with poor security is compromised, and months later that information is used to screw people over.

 

Don't.  Rush.

 

All that said, I'm still of the opinion that you desperately need to brush up on the basics.  Not knowing what a hash is (among other things) while attempting to create a system that handles user data is concerning.  I'm not saying this to pick on you, but rather as a security and privacy conscious end user.  Take your time if you don't understand how this all works.  Far better to go slow and do it right the first time than to slap something together and get a breach.  Remember - most users tend to use the same email and passwords for many sites.  That's one vector of identity theft and data loss - a small site with poor security is compromised, and months later that information is used to screw people over.

 

Don't.  Rush.

 

Definately agree that it should be done properly.  I have added MD5 but I need to add a salt.  I am also currently adding preg_match.

 

The thing that always bothers me = there are 1000's of sites using a quality and reliable membership script.  So why is it so difficult for me to get hold of one?

 

Why do I have to write one myself if they are so widespread?

Yes, you are wrong. Kevin explained to you the standard protocol. But there is no kind of "standard script" that you can just plug into your site, and expect it to work. If you want that sort of functionality, a framework might be useful but you need to learn how to write your own code first. You are trying to go too fast and do too much without understanding how it all works. Writing your own code is how a programmer LEARNS.

They are pretty much the same, at least in principle. However, the qualifying descriptors being "reliable" and "quality". A lot of scripts out there are anything but reliable, let alone works of quality. If you want to be able to spot the good ones from the bad ones, you need to have the prerequisite knowledge for writing one yourself. Even if you don't want to do it.

Whether to use an existing script, and possibly slightly modifying it to suit your needs, or writing your own is also something which requires knowledge and planning. Most of the times you can quite easily use a pre-existing login system, other times the application is complex enough that you need to write your own.

 

I'm not quite sure that I agree 100% with the statement that you need to write your own, or use a full blown framework, but what we all agree upon is that you need to learn this stuff before moving forward with your plans (or pay someone who knows what they're doing). That's the only way to ensure your users' security, for the reasons mentioned in this thread already.

Hi,

 

If you were making a full membership script is there definitive list of features you would have such as:

 

 

Prgmatch on each input cell to prevent code injection

Password comparison

MD5 with salt on password

Email Confirmation of registration

Logout option

Password reset with email featuring temporary password

No - passwords should not be hashed with MD5, and most sites don't use a temporary password for a reset, that's not very secure. I don't know what you mean by password comparison. Also, why would you do "prgmatch" on input? Not to prevent injection...

 

Why are you posting this here anyway? Are you actually asking someone to build you a system?

Hi,

 

Im trying to find out everything that I should include in the membership system so I have a full list of what I need to include. 

 

- I thought passwords were entered with MD5 and also a random character added (a salt)

- I thought pregmatch was the process of stopping code from being injected.  So you can only safe characters can be entered into the database.

- With most sites you have to repeat the password so that someone doesn't mispell a password.

i think what Jesi is trying to say is

*Hashing a salt with md5 is not very secure

 

SHA256 is way more secure than md5 or sha1

 

comparing SHA256 HASH passwords

 

* using PHP Regex and strip_tags to eliminate XSS is a NO NO!

 

using htmlspecialchars is a way better route to explore.

 

 

 

 

 

 

 

Not saying that this is what Jesi meant, but input validation has nothing to do with preventing XSS injections. For that, you'll need output escaping (in the form of htmlspecialchars () as noted).

Input validation is about ensuring that the input you get from the user is what you expect, in order to ensure that the data you're working with is valid. You want to make sure that the user did indeed give you correct data, so that your code does what is expected. If not, show a warning about why it what's wrong and why. Even valid input can lead to HTML injection (attacks), or SQL query problems. Like the rather innocuous string "<3" or the last name of "O'Toole", respectively.

 

In any case, we're drifting rather far off topic now, methinks.. This topic is really for a different thread.

i think what Jesi is trying to say is

*Hashing a salt with md5 is not very secure

 

SHA256 is way more secure than md5 or sha1

 

http://forums.phpfreaks.com/index.php?topic=254277.msg1718540#msg1718540

 

READ NOwwwW Okayz?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.