Jump to content

Archived

This topic is now archived and is closed to further replies.

Bavilo

PHP Mysql Question

Recommended Posts

Hello everyone,

I have posted before asking to help me with a problem of storing passwords as MD5 hashes in the database instead of plain text. This worked out great, but i have a new problem. When a user registers, the password is hashed and then submitted into the database. When the user logs in, the password he types is getting hashed, and then checked against the checked password in the database, this works great, but i have a forgot your password script that when you enter your email address, it looks for the username and password on the same row of that table and then sends you the information. The user will receive the Hashed password instead of the plain text password because thats how the password was stored when he registered. Is there a way to make it so the password he receives is the plain text password?

Here are my scripts

Register.php
[code]
<?php
if (isset($_POST["username"])) {
$username = $_POST["username"];
$password = md5($_POST["password"]);
$cpassword = md5($_POST["cpassword"]);
$email = $_POST["email"];
if (empty($username) || empty($password) || empty($cpassword) || empty($email)) {
echo "A field was left blank.";
}else{ if($password!=$cpassword) {
echo "Passwords do not match";
} else {
$checkuser = mysql_query("SELECT `username`, `email` FROM `users` WHERE `username` = '$username' OR `email` = '$email'") or die('SQL error: ' . mysql_error());
$user_exists = mysql_num_rows($checkuser);
if ($user_exists > 0) {
echo "The username or email is already in use";
} else {
$query = "INSERT INTO users (`username`, `password`, `email`) VALUES('$username', '$password', '$email')";
mysql_query($query) or die(mysql_error());echo "The user \"$username\" has been successfully registered. You may now login.";
}
}
}
}
?>
[/code]

Login.php
[code]
<?php
if ($_POST['username']) {
$username=$_POST['username'];
$password= $_POST['password'];        
if (empty($username) || empty($password)) {
echo "You didn't enter a username and/or password";
}else{
$password = md5($password);
$query = mysql_query("SELECT `username`, `password` FROM `users` WHERE `username` = '$username' AND `password` = '$password'") or die(mysql_error());
$row = mysql_fetch_assoc($query);
if (!$row)  {
echo "The Login you entered is incorrect";
} else {
$_SESSION['s_username'] = $row['username'];
echo "<meta http-equiv='Refresh' content='0; url=index.php'>";
}
}
}
?>
[/code]

Forgot.php
[code]
if (!mysql_select_db($dbname)) die(mysql_error());
if($_POST['email'])
{
$email = $_POST['email'];
$checkemail = mysql_query("SELECT username,password FROM users WHERE email='$email'");
$row = mysql_fetch_array($checkemail);
$numrows = mysql_num_rows($checkemail);
if ($numrows!=0) {
$name = $row['username'];
$password = $row['password'];
$subject = "subject here";
$message = "Message here";
mail($email, $subject, $message, "From: \nX-Mailer:PHP/" . phpversion());
echo "<center>Password sent.<br /><br /></center>";
}else{
echo "<center>The supplied address does not exist in our database.<br /><br /></center>";
}
}
}
?>
[/code]


Thanks in advance
Mike

Share this post


Link to post
Share on other sites
No, hashing is one way only, you need to randomly generate a new password, hash it, update the users record in the db and email them with the new password. Hopefully you have a change password script so they can set it to something memorable.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.