deason Posted November 24, 2013 Share Posted November 24, 2013 Hi, I've used this tutorial to create a functional login page. http://untame.net/2013/06/how-to-build-a-functional-login-form-with-php-twitter-bootstrap/ I now need to create a password Reset/recovery page. I've had a go at using http://megarush.net/forgot-password-php/, but this dosn't seem to work and I think its due to the SALT usage in the login script? Hopefully someone can help Quote Link to comment Share on other sites More sharing options...
Jayden_Blade Posted November 25, 2013 Share Posted November 25, 2013 use a form do a query on other info in same table as password if query = their $_POST answers UPDATE password else echo answers incorrect Quote Link to comment Share on other sites More sharing options...
deason Posted November 25, 2013 Author Share Posted November 25, 2013 Hi Jayden, I am using a form...the hashed password changes on the DB table for the user but i can't authenticate. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 25, 2013 Share Posted November 25, 2013 (edited) In step4 of the reset script rather than use an md5 hash. You need to get the salt from the database first (similar to how the login code gets the salt) Then hash their password with the salt. (refer to the login code to see how this is done) You then update the users password with the new salted password hash (replace md5($pass) with the salted password hash) Edited November 25, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
deason Posted November 25, 2013 Author Share Posted November 25, 2013 Woah this is way over my head.. I have the following script for login code and PHP reset. Do i need to do a Post query to obtain the SALT? Sorry im a PHP Numpty ?php require("config.php"); $submitted_username = ''; if(!empty($_POST)){ $query = " SELECT id, username, password, salt, email FROM users WHERE username = :username "; $query_params = array( ':username' => $_POST['username'] ); try{ $stmt = $db->prepare($query); $result = $stmt->execute($query_params); } catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); } $login_ok = false; $row = $stmt->fetch(); if($row){ $check_password = hash('sha256', $_POST['password'] . $row['salt']); for($round = 0; $round < 65536; $round++){ $check_password = hash('sha256', $check_password . $row['salt']); } if($check_password === $row['password']){ $login_ok = true; } } if($login_ok){ unset($row['salt']); unset($row['password']); $_SESSION['user'] = $row; header("Location: main.php"); die("Redirecting to: main.php"); } else{ print("Login Failed."); $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); } } ?> Then the reset password code <?php //file reset.php //title:Build your own Forgot Password PHP Script session_start(); $token=$_GET['token']; include("settings.php"); connect(); if(!isset($_POST['password'])){ $q="select email from tokens where token='".$token."' and used=0"; $r=mysql_query($q); while($row=mysql_fetch_array($r)) { $email=$row['email']; } If ($email!=''){ $_SESSION['email']=$email; } else die("Invalid link or Password already changed");} $pass=$_POST['password']; $email=$_SESSION['email']; if(!isset($pass)){ echo '<form method="post"> enter your new password:<input type="password" name="password" /> <input type="submit" value="Change Password"> </form> ';} if(isset($_POST['password'])&&isset($_SESSION['email'])) { $q="update users set password='".md5($pass)."' where email='".$email."'"; $r=mysql_query($q); if($r)mysql_query("update tokens set used=1 where token='".$token."'");echo "Your password is changed successfully"; if(!$r)echo "An error occurred"; } ?> Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 25, 2013 Share Posted November 25, 2013 So you have not learnt how to get data from a database yet? You do know it takes more than just copy and paste skills to learn how to program right? (Didn't mean to sound like an ass) The three steps I have given you should only require about 8 lines of code (4 of which you already have for salting the password). Quote Link to comment Share on other sites More sharing options...
davidannis Posted November 25, 2013 Share Posted November 25, 2013 A couple of issues that I see: 1. You are using sha256 to hash the password in the first script but using md5 in the second script. Even correcting the salt won't fix it. 2. This code seems to do the same thing >65,000 times when it only needs to be done once. for($round = 0; $round < 65536; $round++){ $check_password = hash('sha256', $check_password . $row['salt']); } 3. As already mentioned by Ch0cu3r you need to read the salt. Since you have e-mail address you can do it like you did in the first script except modify the query to $query = " SELECT id, username, password, salt, email FROM users WHERE email = :email "; 4. Notice in item 3 I am assuming that you'll use PDO to be consistent with the first script. You don't need to, you can use mysqli, but it is a mistake to use mysql (as you do now) because it is long since deprecated. Change email = :email to email='$email' in the line above if you use mysqli. 5. You need to salt and hash the password the same way you do in your login script. Assuming you choose mysqli you'll need to change the line: $q="update users set password='".md5($pass)."' where email='".$email."'"; to $newpass=hash('sha256',$pass.$row['salt']); $q="update users set password='".$newpass."' where email='".$email."'"; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.