Jump to content


Photo

PHP Mysql Question


  • Please log in to reply
1 reply to this topic

#1 Bavilo

Bavilo
  • Members
  • PipPip
  • Member
  • 19 posts

Posted 01 May 2006 - 05:52 AM

Hello everyone,

I have posted before asking to help me with a problem of storing passwords as MD5 hashes in the database instead of plain text. This worked out great, but i have a new problem. When a user registers, the password is hashed and then submitted into the database. When the user logs in, the password he types is getting hashed, and then checked against the checked password in the database, this works great, but i have a forgot your password script that when you enter your email address, it looks for the username and password on the same row of that table and then sends you the information. The user will receive the Hashed password instead of the plain text password because thats how the password was stored when he registered. Is there a way to make it so the password he receives is the plain text password?

Here are my scripts

Register.php
<?php
if (isset($_POST["username"])) {
$username = $_POST["username"];
$password = md5($_POST["password"]);
$cpassword = md5($_POST["cpassword"]);
$email = $_POST["email"];
if (empty($username) || empty($password) || empty($cpassword) || empty($email)) {
echo "A field was left blank.";
}else{ if($password!=$cpassword) {
 echo "Passwords do not match";
} else {
$checkuser = mysql_query("SELECT `username`, `email` FROM `users` WHERE `username` = '$username' OR `email` = '$email'") or die('SQL error: ' . mysql_error());
$user_exists = mysql_num_rows($checkuser);
if ($user_exists > 0) {
echo "The username or email is already in use";
} else {
$query = "INSERT INTO users (`username`, `password`, `email`) VALUES('$username', '$password', '$email')";
mysql_query($query) or die(mysql_error());echo "The user \"$username\" has been successfully registered. You may now login.";
}
}
}
}
?>

Login.php
<?php
if ($_POST['username']) {
$username=$_POST['username'];
$password= $_POST['password'];        
if (empty($username) || empty($password)) {
echo "You didn't enter a username and/or password";
}else{
$password = md5($password);
$query = mysql_query("SELECT `username`, `password` FROM `users` WHERE `username` = '$username' AND `password` = '$password'") or die(mysql_error());
$row = mysql_fetch_assoc($query);
if (!$row)  {
echo "The Login you entered is incorrect";
} else {
$_SESSION['s_username'] = $row['username'];
echo "<meta http-equiv='Refresh' content='0; url=index.php'>";
}
}
}
?>

Forgot.php
if (!mysql_select_db($dbname)) die(mysql_error());
if($_POST['email'])
{
$email = $_POST['email'];
$checkemail = mysql_query("SELECT username,password FROM users WHERE email='$email'");
$row = mysql_fetch_array($checkemail);
$numrows = mysql_num_rows($checkemail);
if ($numrows!=0) {
$name = $row['username'];
$password = $row['password'];
$subject = "subject here";
$message = "Message here";
mail($email, $subject, $message, "From: \nX-Mailer:PHP/" . phpversion());
echo "<center>Password sent.<br /><br /></center>";
}else{
echo "<center>The supplied address does not exist in our database.<br /><br /></center>";
}
}
}
?>


Thanks in advance
Mike

#2 KrisNz

KrisNz
  • Members
  • PipPipPip
  • Advanced Member
  • 271 posts
  • LocationAuckland, New Zealand

Posted 01 May 2006 - 06:44 AM

No, hashing is one way only, you need to randomly generate a new password, hash it, update the users record in the db and email them with the new password. Hopefully you have a change password script so they can set it to something memorable.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users