Jump to content

Recommended Posts

Hi,

I've used this tutorial to create a functional login page.

 

http://untame.net/2013/06/how-to-build-a-functional-login-form-with-php-twitter-bootstrap/

 

I now need to create a password Reset/recovery page.

 

I've had a go at using http://megarush.net/forgot-password-php/, but this dosn't seem to work and I think its due to the SALT usage in the login script?

 

Hopefully someone can help :)

Link to comment
https://forums.phpfreaks.com/topic/284222-how-to-create-password-reset/
Share on other sites

In step4 of the reset script rather than use an md5 hash.

 

You need to get the salt from the database first (similar to how the login code gets the salt)

Then hash their password with the salt. (refer to the login code to see how this is done)

You then update the users password with the new salted password hash (replace   md5($pass) with the salted password hash)

Edited by Ch0cu3r

Woah this is way over my head..

 

I have the following script for login code and PHP reset. 

 

Do i need to do a Post query to obtain the SALT?

 

Sorry im a PHP Numpty :(

?php 
    require("config.php"); 
    $submitted_username = ''; 
    if(!empty($_POST)){ 
        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email 
            FROM users 
            WHERE 
                username = :username 
        "; 
        $query_params = array( 
            ':username' => $_POST['username'] 
        ); 
          
        try{ 
            $stmt = $db->prepare($query); 
            $result = $stmt->execute($query_params); 
        } 
        catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); } 
        $login_ok = false; 
        $row = $stmt->fetch(); 
        if($row){ 
            $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
            for($round = 0; $round < 65536; $round++){
                $check_password = hash('sha256', $check_password . $row['salt']);
            } 
            if($check_password === $row['password']){
                $login_ok = true;
            } 
        } 


        if($login_ok){ 
            unset($row['salt']); 
            unset($row['password']); 
            $_SESSION['user'] = $row;  
            header("Location: main.php"); 
            die("Redirecting to: main.php"); 
        } 
        else{ 
            print("Login Failed."); 
            $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 
?> 

Then the reset password code

<?php
//file reset.php
//title:Build your own Forgot Password PHP Script
session_start();
$token=$_GET['token'];
include("settings.php");
connect();
if(!isset($_POST['password'])){
$q="select email from tokens where token='".$token."' and used=0";
$r=mysql_query($q);
while($row=mysql_fetch_array($r))
   {
$email=$row['email'];
   }
If ($email!=''){
          $_SESSION['email']=$email;
}
else die("Invalid link or Password already changed");}
$pass=$_POST['password'];
$email=$_SESSION['email'];
if(!isset($pass)){
echo '<form method="post">
enter your new password:<input type="password" name="password" />
<input type="submit" value="Change Password">
</form>
';}
if(isset($_POST['password'])&&isset($_SESSION['email']))
{
$q="update users set password='".md5($pass)."' where email='".$email."'";
$r=mysql_query($q);
if($r)mysql_query("update tokens set used=1 where token='".$token."'");echo "Your password is changed successfully";
if(!$r)echo "An error occurred";
}


?>

So you have not learnt how to get data from a database yet?

 

You do know it takes more than just copy and paste skills to learn how to program right? (Didn't mean to sound like an ass)

 

The three steps I have given you should only require about 8 lines of code (4 of which you already have for salting the password).

A couple of issues that I see:

 

1. You are using sha256 to hash the password in the first script but using md5 in the second script. Even correcting the salt won't fix it.

 

2. This code seems to do the same thing >65,000 times when it only needs to be done once.

            for($round = 0; $round < 65536; $round++){
                $check_password = hash('sha256', $check_password . $row['salt']);
            } 

3. As already mentioned by Ch0cu3r you need to read the salt. Since you have e-mail address you can do it like you did in the first script except modify the query to

        $query = " 
            SELECT 
                id, 
                username, 
                password, 
                salt, 
                email 
            FROM users 
            WHERE 
                email = :email
        "; 

4. Notice in item 3 I am assuming that you'll use PDO to be consistent with the first script. You don't need to, you can use mysqli, but it is a mistake to use mysql (as you do now) because it is long since deprecated. Change email = :email to email='$email' in the line above if you use mysqli.

 

5. You need to salt and hash the password the same way you do in your login script. Assuming you choose mysqli you'll need to change the line:

$q="update users set password='".md5($pass)."' where email='".$email."'";

to

$newpass=hash('sha256',$pass.$row['salt']);
$q="update users set password='".$newpass."' where email='".$email."'";
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.