Jump to content

Forgot Password Script Help

jimmyp3016

By jimmyp3016
in PHP Coding Help

 Share

Recommended Posts

jimmyp3016 Member

jimmyp3016

Posted
Posted
Hey Guys,

I have a forgot password script i wrote that a user enters their email address and then it mails them their username and password. Everything works correctly except...

...It mails them the encrypted password in the database.

How do I decrypt it and mail them their actual password instead of random numbers and letters?

Any help will be greatly appriciated!
Link to comment
https://forums.phpfreaks.com/topic/34832-forgot-password-script-help/
Share on other sites
jimmyp3016 Member

jimmyp3016

Posted
  • Author
Posted
[quote author=Hypnos link=topic=123086.msg508325#msg508325 date=1169172528]
You can not (effectively) undo an MD5 encryption (assuming you're using MD5). That's why you use it.

md5() encrypts. It doesn't unecrypt.

This forces you to take the more secure route of generating a random password and emailing it to them.
[/quote]

Is there a pre maid script out there that you know of that can do this so i can just update my table name ect?
Crimpage Member

Crimpage

Posted
Posted
Probably,

It is not that hard tho.

User enters email address and presses submit.

$newpass = generate_key(); <- There are heaps of scripts out there to generate random strings just find one cause that function is not default...

$newencpass = md5($newpass);

Then update the database with the new password and if that works, email them the $newpass (which is the unencrypted password).

Simple.

Dave.
jimmyp3016 Member

jimmyp3016

Posted
  • Author
Posted
So I got the script working and it sends me the random password but it does not store it in the database as MD5. It stores it as the random password so when i try to login it doesnt work.

What could be wrong?

Here is my script...

[code]

include "config-site.php";
require_once( "functions.inc.php" );

echo doHeader();

$email = $_GET['email'];

if ($email != "") {

  // Open database...
  $db = mysql_connect("$localhost", "$databaseuser", "$databasepasswd");
  mysql_select_db("$databasename",$db);


  // Get password and email from database...
  $sql="SELECT password,email FROM user WHERE email='$email'";
  $result = mysql_query("$sql",$db);
  if (mysql_num_rows($result) != 0) {

    // Store in variables...
    $password = mysql_result($result, 0, "password");
    $email = mysql_result($result, 0, "email");
  }
 
 
$str = '';
for ($i=1; $i<=10; $i++){
$set = array(rand (65,90),rand(97,122));
$str .= chr($set[rand(0,1)]);
}
 
  $newencpass = md5($str);
 
  $sql = "SELECT * FROM user WHERE email='$email'";
  $sql = "UPDATE user SET password = '$str' WHERE email='$email'";
  $result = mysql_query($sql,$db) || die("Can't query DB: ". mysql_error());


  // Close database...

  mysql_close($db);


  if ($email != "") {

    // Send message with password...
$message="Your New Password is:\n\n";
$message.="Login : $email\n\n";
$message.="Password : $str \n\n";
$recipient="$email";
    $subject="MySite.com - Login-Pass Request";
    mail("$recipient","$subject","$message","From: [email protected] \nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit");
  }
[/code]
whitelion Newbie

whitelion

Posted
Posted
oh you have soe mistake.
If you want database store with md5 password you should edit.
[CODE]include "config-site.php";
require_once( "functions.inc.php" );

echo doHeader();

$email = $_GET['email'];

if ($email != "") {

  // Open database...
  $db = mysql_connect("$localhost", "$databaseuser", "$databasepasswd");
  mysql_select_db("$databasename",$db);


  // Get password and email from database...
  $sql="SELECT password,email FROM user WHERE email='$email'";
  $result = mysql_query("$sql",$db);
  if (mysql_num_rows($result) != 0) {

    // Store in variables...
    $password = mysql_result($result, 0, "password");
    $email = mysql_result($result, 0, "email");
  }
 
 
$str = '';
for ($i=1; $i<=10; $i++){
$set = array(rand (65,90),rand(97,122));
$str .= chr($set[rand(0,1)]);
}
 
  $newencpass = md5($str);
 
  $sql = "SELECT * FROM user WHERE email='$email'";
  $sql = "UPDATE user SET password = '$newencpass' WHERE email='$email'";
  $result = mysql_query($sql,$db) || die("Can't query DB: ". mysql_error());


  // Close database...

  mysql_close($db);


  if ($email != "") {

    // Send message with password...
$message="Your New Password is:\n\n";
$message.="Login : $email\n\n";
$message.="Password : $str \n\n";
$recipient="$email";
    $subject="MySite.com - Login-Pass Request";
    mail("$recipient","$subject","$message","From: [email protected] \nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit");
  }
[/CODE]

==>because when you store your password you just store with $str variable.This variable is not md5 password.
Crimpage Member

Crimpage

Posted
Posted
That is right whitelion.

A couple of things to note though.

1. Whitelion, in your earlier post you said you can read what the password was if you do md5(encrypted_password_goes_here); and that is not true.

and Jimmy, in functions like $result = mysql_query("$sql",$db);
dont encase your variables in " ", there is no need, and will probably cause you drama's one day.
" " says that it is a string, and if it is a string within the variable already, there is no need...
kevinkorb Member

kevinkorb

Posted
Posted
What I would recommend is not sending them the password at all.

Do like most sites and send them a link to change their password.

When the user wants a new password, it creates 2 random numbers and stores them in the users table.

i.e.

[code=php:0]
$rand1 = rand(111111111,999999999);
$rand2 = rand(111111111,999999999);
[/code]

Then send the user a link to their email that has 

http://mydomain.com/reset_password.php?rand1=736254629&rand2=837618390

Then verify that and let them set their new password.  Upon reset set them new random numbers so that the link can't be used again.

Then the password is safe and the unencrypted email means nothing anymore.

My 2 cents..
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.