justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 Urm..I did have it working yesterday but the email was going into the spam folder. I used this and its also working http://www.danbriant.com/wp-content/uploads/2010/03/passwordreset.txt However it applies a rather tacky Javapscript pop up. Is there anyway to change it so that a message is applied to a screen. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376789 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 Hi, Does anyone know of any password reset scripts which dont feature Javapscript pop-ups and allow for password reset by the user. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376790 Share on other sites More sharing options...
KevinM1 Posted September 10, 2012 Share Posted September 10, 2012 Urm..I did have it working yesterday but the email was going into the spam folder. I used this and its also working http://www.danbriant.com/wp-content/uploads/2010/03/passwordreset.txt Horrible script. Short tags, use of ereg functions for the regex checks (which should be triggering warnings if you're using PHP 5.3+), regex instead of built-in filters (which have been available by default since 5.2 - http://www.php.net/manual/en/filter.examples.validation.php). Does anyone know of any password reset scripts which dont feature Javapscript pop-ups and allow for password reset by the user. The best one will be the one you write yourself. You just need to slow down and learn the basics. You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376799 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 The best one will be the one you write yourself. You just need to slow down and learn the basics. You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at. If its so bad why are people on here recommending it? Not to dispute what you are saying but I need to get going with this. There must be a standard way to reset a password with an email? What about this one. Is it any better? http://stackoverflow.com/questions/394214/a-forgot-user-password-standard-class-or-script-in-php-mysql-environment Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376803 Share on other sites More sharing options...
Jessica Posted September 10, 2012 Share Posted September 10, 2012 If you refuse to listen to the advice you've been given, don't be surprised when no one wants to help you anymore. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376812 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 If you refuse to listen to the advice you've been given, don't be surprised when no one wants to help you anymore. But why do I need to recreate the wheel when its been used many times over. There must be a standard way of resetting a password by email. I've paid for a script so that hasn't worked and someone has posted a script which someone has said is no good. There must be a standard script which does the job? Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376813 Share on other sites More sharing options...
KevinM1 Posted September 10, 2012 Share Posted September 10, 2012 The best one will be the one you write yourself. You just need to slow down and learn the basics. You're trying to run before you can crawl, let alone walk, and even a 3rd party script won't help you much if you don't understand what you're looking at. If its so bad why are people on here recommending it? A grand total of one person recommended it, and it was a poor recommendation. Not to dispute what you are saying but I need to get going with this. There must be a standard way to reset a password with an email? What about this one. Is it any better? http://stackoverflow.com/questions/394214/a-forgot-user-password-standard-class-or-script-in-php-mysql-environment Yes, that's a better script. The basic idea is this: User clicks "Forgot Password" -> they are brought to a form where they're supposed to enter in their email address -> If the email address is in the system, stuff happens* and the email is sent -> user clicks on a link in the email, they're logged in and are brought to a form where they can enter in a new password. *Basically, you need to create some sort of temporary password for the user and store it in the system. You can either create a db table just for temp passwords (like the SO script does) or overwrite the user's existing password with the temp password. That's up to you, and how you think it should work. Regardless, the link present in the email should contain query string values ($_GET[]....) for the user's id and the temp password. They should be obfuscated or hashed. --- All that said, I'm still of the opinion that you desperately need to brush up on the basics. Not knowing what a hash is (among other things) while attempting to create a system that handles user data is concerning. I'm not saying this to pick on you, but rather as a security and privacy conscious end user. Take your time if you don't understand how this all works. Far better to go slow and do it right the first time than to slap something together and get a breach. Remember - most users tend to use the same email and passwords for many sites. That's one vector of identity theft and data loss - a small site with poor security is compromised, and months later that information is used to screw people over. Don't. Rush. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376814 Share on other sites More sharing options...
KevinM1 Posted September 10, 2012 Share Posted September 10, 2012 Also: http://lmgtfy.com/?q=forgot+password+php+tutorial Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376815 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 All that said, I'm still of the opinion that you desperately need to brush up on the basics. Not knowing what a hash is (among other things) while attempting to create a system that handles user data is concerning. I'm not saying this to pick on you, but rather as a security and privacy conscious end user. Take your time if you don't understand how this all works. Far better to go slow and do it right the first time than to slap something together and get a breach. Remember - most users tend to use the same email and passwords for many sites. That's one vector of identity theft and data loss - a small site with poor security is compromised, and months later that information is used to screw people over. Don't. Rush. Definately agree that it should be done properly. I have added MD5 but I need to add a salt. I am also currently adding preg_match. The thing that always bothers me = there are 1000's of sites using a quality and reliable membership script. So why is it so difficult for me to get hold of one? Why do I have to write one myself if they are so widespread? Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376818 Share on other sites More sharing options...
Pikachu2000 Posted September 10, 2012 Share Posted September 10, 2012 Because they all wrote their own. If you just want to use someone else's work, pay someone to write it. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376824 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 Because they all wrote their own. If you just want to use someone else's work, pay someone to write it. I have paid someone but they didn't work either. Am I wrong in saying that this is all standard stuff. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376827 Share on other sites More sharing options...
Jessica Posted September 10, 2012 Share Posted September 10, 2012 Yes, you are wrong. Kevin explained to you the standard protocol. But there is no kind of "standard script" that you can just plug into your site, and expect it to work. If you want that sort of functionality, a framework might be useful but you need to learn how to write your own code first. You are trying to go too fast and do too much without understanding how it all works. Writing your own code is how a programmer LEARNS. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376828 Share on other sites More sharing options...
justlukeyou Posted September 10, 2012 Author Share Posted September 10, 2012 Okay, I just thought that all reliable, quality membership scripts are % the same. They just require different information. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376833 Share on other sites More sharing options...
Christian F. Posted September 11, 2012 Share Posted September 11, 2012 They are pretty much the same, at least in principle. However, the qualifying descriptors being "reliable" and "quality". A lot of scripts out there are anything but reliable, let alone works of quality. If you want to be able to spot the good ones from the bad ones, you need to have the prerequisite knowledge for writing one yourself. Even if you don't want to do it. Whether to use an existing script, and possibly slightly modifying it to suit your needs, or writing your own is also something which requires knowledge and planning. Most of the times you can quite easily use a pre-existing login system, other times the application is complex enough that you need to write your own. I'm not quite sure that I agree 100% with the statement that you need to write your own, or use a full blown framework, but what we all agree upon is that you need to learn this stuff before moving forward with your plans (or pay someone who knows what they're doing). That's the only way to ensure your users' security, for the reasons mentioned in this thread already. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1376932 Share on other sites More sharing options...
justlukeyou Posted September 11, 2012 Author Share Posted September 11, 2012 Hi, If you were making a full membership script is there definitive list of features you would have such as: Prgmatch on each input cell to prevent code injection Password comparison MD5 with salt on password Email Confirmation of registration Logout option Password reset with email featuring temporary password Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377095 Share on other sites More sharing options...
Jessica Posted September 11, 2012 Share Posted September 11, 2012 No - passwords should not be hashed with MD5, and most sites don't use a temporary password for a reset, that's not very secure. I don't know what you mean by password comparison. Also, why would you do "prgmatch" on input? Not to prevent injection... Why are you posting this here anyway? Are you actually asking someone to build you a system? Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377101 Share on other sites More sharing options...
justlukeyou Posted September 11, 2012 Author Share Posted September 11, 2012 Hi, Im trying to find out everything that I should include in the membership system so I have a full list of what I need to include. - I thought passwords were entered with MD5 and also a random character added (a salt) - I thought pregmatch was the process of stopping code from being injected. So you can only safe characters can be entered into the database. - With most sites you have to repeat the password so that someone doesn't mispell a password. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377108 Share on other sites More sharing options...
darkfreaks Posted September 12, 2012 Share Posted September 12, 2012 i think what Jesi is trying to say is *Hashing a salt with md5 is not very secure SHA256 is way more secure than md5 or sha1 comparing SHA256 HASH passwords * using PHP Regex and strip_tags to eliminate XSS is a NO NO! using htmlspecialchars is a way better route to explore. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377150 Share on other sites More sharing options...
Christian F. Posted September 12, 2012 Share Posted September 12, 2012 Not saying that this is what Jesi meant, but input validation has nothing to do with preventing XSS injections. For that, you'll need output escaping (in the form of htmlspecialchars () as noted). Input validation is about ensuring that the input you get from the user is what you expect, in order to ensure that the data you're working with is valid. You want to make sure that the user did indeed give you correct data, so that your code does what is expected. If not, show a warning about why it what's wrong and why. Even valid input can lead to HTML injection (attacks), or SQL query problems. Like the rather innocuous string "<3" or the last name of "O'Toole", respectively. In any case, we're drifting rather far off topic now, methinks.. This topic is really for a different thread. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377171 Share on other sites More sharing options...
Jessica Posted September 12, 2012 Share Posted September 12, 2012 Like anyone knows what I mean. I don't even know what I mean. Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377211 Share on other sites More sharing options...
darkfreaks Posted September 12, 2012 Share Posted September 12, 2012 LOL @ Jesi whut you mean you don't know Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377297 Share on other sites More sharing options...
premiso Posted September 12, 2012 Share Posted September 12, 2012 i think what Jesi is trying to say is *Hashing a salt with md5 is not very secure SHA256 is way more secure than md5 or sha1 http://forums.phpfreaks.com/index.php?topic=254277.msg1718540#msg1718540 READ NOwwwW Okayz? Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377299 Share on other sites More sharing options...
darkfreaks Posted September 12, 2012 Share Posted September 12, 2012 well if that is the case... Hashing Passwords with Bcrypt Quote Link to comment https://forums.phpfreaks.com/topic/268086-reset-email-password-code-by-email/page/2/#findComment-1377306 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.