I-AM-OBODO Posted February 23, 2013 Share Posted February 23, 2013 Hi all, Below is a code to reset forgoten password, but i do not know why i cannot login with the resetted password? ps: echo $password is to get the echoed password so that i can login with it. Thanks <?php if(isset($_POST['submit'])){ $email = addslashes(htmlentities($_POST['email'])); if($email == ''){ echo "<font color='#990000'><b><center>Email field empty</center></b></font>"; } elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){ echo "<font color='#990000'><b><center>Invalid email address</center></b></font>"; }else{ $q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query($q); if(mysql_num_rows($r)== 1){ // Generate a random password $password = ""; $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, 6); foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } echo "<br><br>"; $crypt_pass = md5($password); //update the user password $q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query ($q) or die('Cannot complete update'); //send mail $to = "jamboree@yahoo.com"; //$_POST['email']; $from = "forgot@example.com"; $subject = "New password"; $msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n Please log in at this URL: http://localhost/login.html \n Then go to this address to change your password: http://localhost/changepass.php"; $success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com"); if($success){ echo "Password have been sent to you email address"; } }else{ echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>"; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/ Share on other sites More sharing options...
DavidAM Posted February 23, 2013 Share Posted February 23, 2013 $crypt_pass = md5($password); Is this exactly the same thing you do to the password provided by the user on the login page? I mean exactly. You should create a common function named something like hashPassword() and use that function in your registration page, login page, and reset page; so you know you are doing the same in all three places. Then if you ever decide to use a different algorithm, you only have to change it in one place --- by the way, using MD5 with no salt is NOT a good idea, MD5 (alone) is too easy to hack (google "rainbow tables"). $email = addslashes(htmlentities($_POST['email'])); This is not the way to retrieve user input from POST fields. Each of those functions, addslashes and htmlentities have specific purposes not related to retrieving user data. The only thing you should do to POST (or GET) fields is stripslashes and that only if magic_quotes is on (which it should not be). By the way, $rand_key = array_rand($alpha, 6); foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } could be done without the foreach. $rand_key = array_rand($alpha, 6); $password = implode('', $rand_key); echo $password; (That's an empty string in the implode call.) Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414421 Share on other sites More sharing options...
AyKay47 Posted February 23, 2013 Share Posted February 23, 2013 Adding to what DavidAM has already mentioned regarding passwords, using hashing algorithms such as MD5, SHA1 and SHA256 is discouraged as these algorithms are trivial to crack. A hashing function such as crypt implementing an algorithm such as CRYPT_BLOWFISH coupled with a correctly formatted salt provides the most "computationally expensive" algorithm. Ergo making it extremely difficult and near impossible for an attacker to crack. Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414443 Share on other sites More sharing options...
I-AM-OBODO Posted February 24, 2013 Author Share Posted February 24, 2013 Thanks all. Regarding password encryption and security, will it be good if one do something like: $pass = crypt(sha1(md5($password))); will it be a good practice? thanks Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414687 Share on other sites More sharing options...
Christian F. Posted February 24, 2013 Share Posted February 24, 2013 No, it will not. Both MD5 and SHA1 reduces the entropy, making the crypt () severely limited in what output it can give. A chain is no stronger than its weakest link, after all. Besides, you're still not using an individual salt. I strongly recommend that you read this thread, and the articles/videos linked to in it: http://forums.phpfreaks.com/topic/273647-questions-sessions-information-storing-and-security/ Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414709 Share on other sites More sharing options...
I-AM-OBODO Posted February 25, 2013 Author Share Posted February 25, 2013 Hi all. @DavidAM, you asked if my login page is same hashing as my reset password page? Yes they are the same. PS: I tried using crypt for password hashing and did not work for me. It doesnt login Below is both codes: Login page <?php if(isset($_POST['login'])){ $tbl_name="reg_users"; // Define $myusername and $mypassword $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); if($username == ''){ $err1 = "<font color='red' size='-2'><b>Pls Enter Username</b></font>"; } if($password == ''){ $err2 = "<font color='red' size='-2'><b>Pls Enter Password</b></font>"; }else{ $crypt_pass = md5($password); //check for existance of username and password $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$crypt_pass'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register username and password and redirect to login page" $_SESSION['username'] = $username; $_SESSION['password'] = $password; header("location: ../onlineservices/uhm.php"); exit(); } else { //if no match found, echo out error message echo "<font color='red' size='2'><b>Invalid Username or Password</b></font><br>"; } } } ob_end_flush(); ?> Reset password Code <?php if(isset($_POST['submit'])){ $email = stripslashes($_POST['email']); if($email == ''){ echo "<font color='#990000'><b><center>Email field empty</center></b></font>"; } elseif(!filter_var($email, FILTER_VALIDATE_EMAIL)){ echo "<font color='#990000'><b><center>Invalid email address</center></b></font>"; }else{ $q = "SELECT * FROM reg_users WHERE email = '$email' AND username = '$_SESSION[uname]' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query($q); if(mysql_num_rows($r)== 1){ // Generate a random password $password = ""; $alpha = array_merge(range('a','z'), range('A','Z'), range(2,9)); $rand_key = array_rand($alpha, 6); foreach ($rand_key as $curKey){ $password .= $alpha[$curKey]; echo $password; } echo "<br><br>"; $crypt_pass = md5($password); echo $crypt_pass; //update the user password $q = "UPDATE reg_users SET password = '$crypt_pass' WHERE email = '$email' AND Security_no = '$_SESSION[sec_no]'"; $r = mysql_query ($q) or die('Cannot complete update'); //send mail $to = "jamboree@yahoo.com"; //$_POST['email']; $from = "forgot@example.com"; $subject = "New password"; $msg = "You recently requested that we send you a new password for fredcom.com. Your new password is: $password.\n Please log in at this URL: http://localhost/login.html \n Then go to this address to change your password: http://localhost/changepass.php"; $success = mail("$to","$subject","$msg","From: $from\r\nReply-To:webmaster@example.com"); if($success){ echo "Password have been sent to you email address"; } }else{ echo "<font color='#990000'><b>Sorry, no such record in our databsae</b></font>"; } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414775 Share on other sites More sharing options...
AyKay47 Posted February 25, 2013 Share Posted February 25, 2013 (edited) Show us code where you are using crypt so we can help you. There are examples in the manual of how to properly use crypt DO NOT use MD5 hashing for passwords. Edited February 25, 2013 by AyKay47 Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1414825 Share on other sites More sharing options...
I-AM-OBODO Posted February 26, 2013 Author Share Posted February 26, 2013 @aykay, I'd like to deal with this md5 that I can login with and when I get the reset working then I'd try to implement the crypt. thanks all same. ps: I can login with the login page, what I can't do is login with the reset password. thanks all. Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415033 Share on other sites More sharing options...
Jessica Posted February 26, 2013 Share Posted February 26, 2013 Did you verify in the database that the password did get changed? Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415034 Share on other sites More sharing options...
Christian F. Posted February 26, 2013 Share Posted February 26, 2013 I recommend that you read DavidAM's post again, and implement all of the recommendations he has listed. He even touched upon what might be the reason why you cannot log in after resetting the password. Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415035 Share on other sites More sharing options...
I-AM-OBODO Posted February 26, 2013 Author Share Posted February 26, 2013 @aykay, but what I did with crypt was I changed the md5 to crypt. that is: $crypt_pass = crypt($password); Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415038 Share on other sites More sharing options...
I-AM-OBODO Posted February 26, 2013 Author Share Posted February 26, 2013 @jessica yes I verified and its changing. @christian, I've read Davids post over & over. my login function is same with the reset. I even had to register new users just to verify and they all can login but after reset, the generated password won't login. above is my login and reset script. thanks Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415058 Share on other sites More sharing options...
Christian F. Posted February 26, 2013 Share Posted February 26, 2013 You are still manipulating the data upon retrieval, contrary to what he stated in his post. // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); What do you think happens when you hash a password that has been modified, vs one that has not? Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415059 Share on other sites More sharing options...
Joshua F Posted February 26, 2013 Share Posted February 26, 2013 @aykay, but what I did with crypt was I changed the md5 to crypt. that is: $crypt_pass = crypt($password); You should read crypt for how it should be used. It's a little harder than doing what you posted but it is well worth it. Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415060 Share on other sites More sharing options...
Solution Christian F. Posted February 26, 2013 Solution Share Posted February 26, 2013 I would also recommend reading the post I linked to in my first reply, as it contains a lot more information. As well as links to ready-made frameworks/classes, which makes adding a secure login to your site very easy. Still, for learning purposes creating your own login system is very useful. Just don't ever put it into production! Quote Link to comment https://forums.phpfreaks.com/topic/274855-reset-password-cant-login/#findComment-1415061 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.