Forgot Password: Is my code okay? Newbie

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

tristan5522
New php-forum User
New php-forum User
Posts: 1
Joined: Thu Apr 24, 2014 6:12 pm

Forgot Password: Is my code okay? Newbie

Postby tristan5522 » Thu Apr 24, 2014 6:18 pm

Hey everyone, this is my first post. Currently this code resets the user's password and replaces it with some random code in the database. Not sure what I am doing wrong, any help would be greatly appreciated.

<?php
$heading = "Forgot Password";

if(isset($_GET['action']) && $_GET['action'] == "fpwd")
{
if(count($_POST) > 0)
{
if(isset($_POST['user_email']))
{
$email_address = $_POST['user_email'];

$sqlemail = "select user_email from ".TABLE_user." where user_email = '$email_address'";
$resemail = mysql_query($sqlemail);

$password = "user".rand(1000,50000);

$sql_update = "update ".TABLE_user." set 'password' = '".md5($password)."' where 'user_email' = '$email_address'";
$res = mysql_query($sql);


$to = $email_address;
$subject = 'Reset Password';
$message = 'Your new password: '.$password;
$headers = 'From: '.STORE_EMAIL.'' . "\r\n";

if(mail($to, $subject, $message, $headers))
{
fw_goto_page_header(fw_create_link(FILENAME_FORGOT_PWD,'msg=1'));
}

}
}
}

?>

Abdulwadood
New php-forum User
New php-forum User
Posts: 1
Joined: Fri Apr 25, 2014 1:37 am

Re: Forgot Password: Is my code okay? Newbie

Postby Abdulwadood » Fri Apr 25, 2014 1:48 am

Hi,
as i am a newbie, i will share you what i know. MD5 is used to encrypt password using hash function. But you can use the same password that you gave. In my knowledge there is no solution to decrypt (to reveal) such a password.

Thanks

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Forgot Password: Is my code okay? Newbie

Postby seandisanti » Fri Apr 25, 2014 6:14 pm

google an MD5 hash. most of them will return a value instantly. md5 is not secure and should not be used for anything of any consequence.

Back to the problem at hand though. What error are you getting, or what is it not doing? Also, you should not allow someone without the password to reset the password. Only give them the option to request a password reset. When requested, email a reset link to the email address you have on file. If you search through this forum, there are good user classes that you can use that demonstrate logins, password resets, 'remember me checkboxes' etc. I know i've personally posted several. And don't save the password as an md5 hash. you need a 1 way salted hash, which md5 is not. what you can do is write a function to generate a salt of length X, then do a sha1 hash of the entered value and the random salt. tack the salt onto the end of the hash, and save it into your database like that. When someone tries to log in, grab the stored password, pull off the unencrypted salt (because you know the length and it's on the end of the hash generated with it) and run their entry and the hash through the generate code. Compare the result to the stored value and if they entered the same thing, it will match. Never store passwords in plaintext or md5, and do not save entered details on login attempts.


Return to “PHP coding => General”

Who is online

Users browsing this forum: No registered users and 1 guest

cron