Daney11 Posted December 10, 2007 Share Posted December 10, 2007 Hey guys, Ive just created a forgot_password feature on my website. <?php error_reporting(0); ini_set('register_globals', 0); session_start(); include_once('settings.php'); // This Includes The Settings Of The Website include_once('functions.php'); // This Includes The Functions Of The Website include_once('team.php'); // This Includes The Team Information Of The Website if (isset($_POST['submitted'])) { if (empty($_POST['member_email'])) { $member_id = FALSE; echo 'Please Enter A Email Address'; } else { $query = "SELECT member_id FROM members WHERE member_email='".escape_data($_POST['member_email'])."'"; $result = mysql_query($query) or trigger_error("Query: $query\n<br />MySQL Error: " .mysql_error()); if (mysql_num_rows($result) == 1) { list($member_id) = mysql_fetch_array ($result, MYSQL_NUM); } else { echo 'There Is No Email Address In The Database'; $member_id = FALSE; } } if ($member_id) { $p = substr(md5(uniqid(rand(),1)), 9, 15); $query = "UPDATE members SET member_password=SHA('$p') WHERE member_id=$member_id"; $result = mysql_query($query) or trigger_error("Query: $query\n<br />MySQL Error: " .mysql_error()); if(mysql_affected_rows() == 1) { $body = "Pass"; mail($_POST['member_email'], 'your pass', $body, 'From: admin@dane.com'); echo $p; mysql_close(); exit(); } else { echo 'This Process Cannot Be Completed, Please Contact An Admin'; } } else { echo 'Try Again'; } mysql_close(); } ?> <form action="forgot_password.php" method="post"> <table> <tr> <td>Forgot Password</td> </tr> <tr> <td><input type="text" name="member_email" size="20" maxlength="40" value="<?php if (isset($_POST['member_email'])) echo $_POST['member_email']; ?>" /></td> </tr> <tr> <td><input type="submit" name="submit" value="Reset My Password" /><input type="hidden" name="submitted" value="TRUE" /></td> </tr> </table> </form> The code changes the password fine in md5 in the database, however i can now not login with the password provided. <?php error_reporting(0); ini_set('register_globals', 0); session_start(); include_once('header.php'); // This Includes The Header Of The Website Layout include_once('settings.php'); // This Includes The Settings Of The Website include_once('functions.php'); // This Includes The Functions Of The Website include_once('team.php'); // This Includes The Team Information Of The Website ?> <form method="post" action="login.php"> <?php if (isset($_POST['member_email']) && isset($_POST['member_password'])) { $member_email = htmlentities($_POST['member_email']); $member_password = htmlentities(md5($_POST['member_password'])); $log_password = htmlentities($_POST['member_password']); $query = 'SELECT * FROM members '."where member_email='$member_email'" . "and member_password='$member_password'" . "and member_teamid='$team_url'"; $result = mysql_query($query); $loginrow = mysql_fetch_array($result); if (mysql_num_rows($result) >0 ) { $_SESSION['member_id'] = $loginrow['member_id']; $_SESSION['member_username'] = $loginrow['member_username']; $_SESSION['member_nation'] = $loginrow['member_nation']; $_SESSION['valid_user'] = $member_email; $_SESSION['valid_teamid'] = $member_teamid; } } if (isset($_SESSION['valid_user'])) { ?> <table width="508" height="1" cellpadding="0" cellspacing="0" border="0" align="center"> <tr> <td><img src="images/spacer.gif" height="1"></td> </tr> </table> <table width="508" height="19" cellpadding="0" cellspacing="0" border="0" align="center" class="resultstable"> <tr> <td> Welcome <?php echo ''.$_SESSION['member_username'].'' ?></td> </tr> </table> <?php // Start Login Success Log $log_type = 'Login'; $log_body = "Username: $member_email"; $log_body .= "\n"; $log_body .= "Password: $log_password"; mysql_query("INSERT INTO `logs` (log_id, log_ip, log_site, log_user, log_type, log_body) VALUES ('NULL', '$member_ip', '$team_url', '".$_SESSION['valid_user']."', '$log_type', '$log_body')"); // End Login Success Log mysql_query("UPDATE members SET member_loggedin=member_loggedin+1 WHERE member_email = '".$_SESSION['valid_user']."'"); } else { if (isset($member_email)) { // Start Login Fail Log $log_type = 'Failed Login'; $log_body = "Username: $member_email"; $log_body .= "\n"; $log_body .= "Password: $log_password"; mysql_query("INSERT INTO `logs` (log_id, log_ip, log_site, log_user, log_type, log_body) VALUES ('NULL', '$member_ip', '$team_url', '$member_ip', '$log_type', '$log_body')"); // End Login Fail Log echo("You Could Not Be Logged In"); } ?> <table width="100%" cellpadding="0" cellspacing="0" border="0" height="60"> <tr> <td width="50%" height="20" valign="middle"> <strong>Username:</strong></td> <td width="50%" height="20" valign="middle"><input class="loginform" type="text" name="member_email"></td> </tr> <tr> <td width="50%" height="20" valign="middle"> <strong>Password:</strong></td> <td width="50%" height="20" valign="middle"><input class="loginform" type="password" name="member_password"></td> </tr> <tr> <td width="50%" height="20" valign="middle"> <strong><a href="forgot_password.php">Forgot Password?</a></strong></td> <td width="50%" height="20" valign="middle"><input class="loginform" type="submit" value="Login"></td> </tr> </table> </form> <?php } include_once('footer.php'); // This Includes The Footer Of The Website Layout ?> Quote Link to comment Share on other sites More sharing options...
revraz Posted December 10, 2007 Share Posted December 10, 2007 You are entering the PW with SHA in your UPDATE but using MD5 to login with. You are actually making a MD5 PW, then making that SHA when you enter. So you are hashing it twice. Remove the SHA in your Update statement. Quote Link to comment Share on other sites More sharing options...
rarebit Posted December 10, 2007 Share Posted December 10, 2007 When you match your passwords, you use this (abrev): $member_password = htmlentities(md5($_POST['member_password'])); ... and member_password='$member_password'" However when you create & hash the password you do: $p = substr(md5(uniqid(rand(),1)), 9, 15); $query = "UPDATE members SET member_password=SHA('$p') You've wrapped the md5 hash with a sha hash, but when checking you don't! This must also match when they join up! FN: Same revraz has just stated! Quote Link to comment Share on other sites More sharing options...
Daney11 Posted December 10, 2007 Author Share Posted December 10, 2007 $query = "UPDATE members SET member_password=$p WHERE member_id=$member_id"; gives me "This Process Cannot Be Completed, Please Contact An Admin" Quote Link to comment Share on other sites More sharing options...
revraz Posted December 10, 2007 Share Posted December 10, 2007 Try with single quotes around '$p' and '$member_id' Quote Link to comment Share on other sites More sharing options...
Daney11 Posted December 10, 2007 Author Share Posted December 10, 2007 It now works however i canot still login. because it is not md5() the new password but ive put md5() in the creation Quote Link to comment Share on other sites More sharing options...
Daney11 Posted December 10, 2007 Author Share Posted December 10, 2007 nm, fixed <3 Quote Link to comment Share on other sites More sharing options...
revraz Posted December 10, 2007 Share Posted December 10, 2007 Repost your updated code You probably have to re-do the PW because of they way they didn't match before. Quote Link to comment Share on other sites More sharing options...
Daney11 Posted December 10, 2007 Author Share Posted December 10, 2007 i had to md5('$p') in the query Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.